ASA-2621 S2S vpn

Answered Question
Jun 7th, 2010
User Badges:

Hello,


I have a big issue for last two days to figure out site to site vpn between  asa 5520 and router 2621. On my end there is a firewall and customer end there is a router. The phase-1 and phase-2 negotiation is succeed and also I have seen the packet is coming from the remote side. But from side I did not see packet is flowing. I check the host and it response icmp and there is no router or firewall in between where it can be re route or any other ACL. The interesting thing is if I do packet trace it didn't show any failure. I am sending the log report also some screen shots I did with packet tracer and other output commands (configuration on the firewall and on the router) with attachment.


thanks advance for the help.



/var/log/firewall # tail -f firewall.log | grep X.X.X.X

Jun  7 21:28:34 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=ef02801e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jun  7 21:28:34 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = X.X.X.X, processing hash payload

Jun  7 21:28:34 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = X.X.X.X, processing notify payload

Jun  7 21:28:34 172.25.215.1 %ASA-7-715075: Group = X.X.X.X, IP = X.X.X.X, Received keep-alive of type DPD R-U-THERE (seq number 0x55622a9e)

Jun  7 21:28:34 172.25.215.1 %ASA-7-715036: Group = X.X.X.X, IP = X.X.X.X, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x55622a9e)

Jun  7 21:28:34 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload

Jun  7 21:28:34 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload

Jun  7 21:28:34 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=3c17cf80) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jun  7 21:28:47 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=50c9b74e) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jun  7 21:28:47 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = X.X.X.X, processing hash payload

Jun  7 21:28:47 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = X.X.X.X, processing notify payload

Jun  7 21:28:47 172.25.215.1 %ASA-7-715075: Group = X.X.X.X, IP = X.X.X.X, Received keep-alive of type DPD R-U-THERE (seq number 0x55622a9f)

Jun  7 21:28:47 172.25.215.1 %ASA-7-715036: Group = X.X.X.X, IP = X.X.X.X, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x55622a9f)

Jun  7 21:28:47 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = X.X.X.X, constructing blank hash payload

Jun  7 21:28:47 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = X.X.X.X, constructing qm hash payload

Jun  7 21:28:47 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=1caec174) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jun  7 21:29:00 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE RECEIVED Message (msgid=45868afa) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Jun  7 21:29:00 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = 85.18.56.130, processing hash payload

Jun  7 21:29:00 172.25.215.1 %ASA-7-715047: Group = X.X.X.X, IP = 85.18.56.130, processing notify payload

Jun  7 21:29:00 172.25.215.1 %ASA-7-715075: Group = X.X.X.X, IP = 85.18.56.130, Received keep-alive of type DPD R-U-THERE (seq number 0x55622aa0)

Jun  7 21:29:00 172.25.215.1 %ASA-7-715036: Group = X.X.X.X, IP = 85.18.56.130, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x55622aa0)

Jun  7 21:29:00 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = 85.18.56.130, constructing blank hash payload

Jun  7 21:29:00 172.25.215.1 %ASA-7-715046: Group = X.X.X.X, IP = 85.18.56.130, constructing qm hash payload

Jun  7 21:29:00 172.25.215.1 %ASA-7-713236: IP = X.X.X.X, IKE_DECODE SENDING Message (msgid=46b88111) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Correct Answer by slmansfield about 6 years 10 months ago

Looks like the problem is on the ASA.  From your other post, I see that you are using WAN_2_cryptomap_2 as your interesting traffic ACL, but it does not exist on the ASA.  The interesting traffic ACLs should be mirror images of each other. 


The router is sending traffic to the ASA, but there is no return traffic from the ASA to the router.   You might check to see if the devices on the 172.25.100.0/24 network have a route through the ASA back to the 10.50.90.0/24 network.


HTH

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
slmansfield Tue, 06/08/2010 - 09:04
User Badges:
  • Silver, 250 points or more

Looks like the problem is on the ASA.  From your other post, I see that you are using WAN_2_cryptomap_2 as your interesting traffic ACL, but it does not exist on the ASA.  The interesting traffic ACLs should be mirror images of each other. 


The router is sending traffic to the ASA, but there is no return traffic from the ASA to the router.   You might check to see if the devices on the 172.25.100.0/24 network have a route through the ASA back to the 10.50.90.0/24 network.


HTH

saimunpial Tue, 06/08/2010 - 13:05
User Badges:

Hello Simansfield,

You will see the crypto map ACL is associated with  wan crypto map. I found when I ping the packet is not encrypted on my firewall. there is no issue on the routing as far as I have seen. Because from the same local vlan there are other vpn and those works perfectly. I found in packet trace one thing from the nat exempt when I packet trace from my local lan to the remote lan where the vpn problem exist won't do IPSec tunnel flow where as for the other vpn which are working can do that.


I have one question whether the IOS 8.2(1) has some bug for vpn connection with different devices. Because last week we had a VPN which is now not working anymore. But that time the vpn needs to be initiated from my side. Otherwise the remote network cannot reach the local network. The remote network is added DNS IP to resolve the name and the VPN tunnel goes down. After they remote that line the VPN comes up but no traffic flows from my local network anymore.

slmansfield Tue, 06/08/2010 - 19:37
User Badges:
  • Silver, 250 points or more

On the firewall it looks like you have an inbound access list on the VLAN 100 interface.  Since there is an implicit deny all at the end of this ACL, and I don't see any rules allowing traffic from 172.25.100.0/24 to 10.50.90.0/24, this statement could be blocking the VPN traffic.


I did find a bug in IOS version 12.2.  I did not see any bugs specific to this problem on the ASA.

CSCdu34352

Actions

This Discussion