asa&gre

Unanswered Question
Jul 29th, 2010

Hi.

I have problems with an ASA 5510 and GRE.

I can't make a gre tunnel from the inside network to a host on the internet. I only get to the part where I have to enter the username and password and there it breaks. I get a teardown gre connection in the logs exactly after 30 sec.

The inside network and outside network both have real ip addresses so I have no NAT configured and no need for NAT.

I tried fixup protocol pptp 1723 and inspect pptp.

The ACLs allow both gre and tcp 1723 both on the outside and on the inside (I also tried with allow ip any any to be sure it's not ACL related).

Any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Nagaraja Thanthry Thu, 07/29/2010 - 07:25

Hello,

Can you please post the output of "show service-policy" and "show asp drop"

commands? Please follow below steps before collecting the output:

-- Clear the counters i.e. clear service-policy & clear asp drop

-- Initiate a GRE tunnel session

-- Once it fails, issue "show service-policy" and "show asp drop"

Regards,

NT

sergiu.campian Thu, 07/29/2010 - 07:32

Hello

Thanks for the reply. Here is the output:

Result of the command: "show service-policy"

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns preset_dns_map, packet 743, drop 0, reset-drop 0
      Inspect: ftp, packet 0, drop 0, reset-drop 0
      Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
      Inspect: rsh, packet 0, drop 0, reset-drop 0
      Inspect: rtsp, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
      Inspect: sqlnet, packet 0, drop 0, reset-drop 0
      Inspect: skinny , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: sunrpc, packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: xdmcp, packet 0, drop 0, reset-drop 0
      Inspect: sip , packet 0, drop 0, reset-drop 0
               tcp-proxy: bytes in buffer 0, bytes dropped 0
      Inspect: netbios, packet 3, drop 0, reset-drop 0
      Inspect: tftp, packet 0, drop 0, reset-drop 0
      Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
      Inspect: pptp, packet 14, drop 0, reset-drop 0

Interface inside10:
  Service-policy: inside10-policy
    Class-map: inside10-class
      IPS: card status Up, mode inline fail-open, sensor vs0
        packet input 0, packet output 0, drop 0, reset-drop 0

Interface outside:
  Service-policy: pptp_policy
    Class-map: pptp-port
      Inspect: pptp, packet 0, drop 0, reset-drop 0
    Class-map: outside-class
      IPS: card status Up, mode inline fail-open, sensor vs0
        packet input 0, packet output 0, drop 0, reset-drop 0


Result of the command: "show asp drop"

Frame drop:
  First TCP packet not SYN (tcp-not-syn)                                     145
  TCP failed 3 way handshake (tcp-3whs-failed)                                21
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                   21
  Dropped pending packets in a closed socket (np-socket-closed)                2

Last clearing: 17:29:07 EEDT Jul 29 2010 by enable_15

Flow drop:

Last clearing: 17:29:07 EEDT Jul 29 2010 by enable_15

Nagaraja Thanthry Thu, 07/29/2010 - 07:43

Hello,

I see that you have an IPS module installed on the firewall. Can you bypass

the IPS module for the PPTP traffic and see if that helps?

Regards,

NT

Jitendriya Athavale Thu, 07/29/2010 - 09:02

can you collect some captures on the inside and outside of ASA, so that we can see where it is failing


also have you tried bypassing the firewall does it work fine (just to confirm that the configuration is fine)

any way the captures on ASA's inside and outside will tell us who and hopefully why the device is dropping the packet

Actions

This Discussion