VPN Issues

Unanswered Question
Mar 22nd, 2012

Hello,

  • I have setup a VPN through my ASA for my branch routers,  Branch routers are on ADSL link and they are initiating the connection and they are able to connect to HO.On my ASA i have created dynamic-map which accepts connection dynamically.The problem is i can't initiate a connection from ASA to Branch router and also when branch routers are connected to HO when the tunnel is up though i m not able to telnet or ping to the remote branch routers??????
  • I also face this issue with site-site VPN.

Below is packet tracer for ping:

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         outside

Phase: 2

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 3

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect icmp

service-policy global_policy global

Additional Information:

Phase: 4     

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:      

Additional Information:

Phase: 5     

Type: NAT    

Subtype:     

Result: ALLOW

Config:      

nat (inside,outside) source static obj-192.168.0.0 obj-192.168.0.0 destination static ABC-subnet ABC-subnet no-proxy-arp route-lookup

Additional Information:

Static translate 192.168.100.1/0 to 192.168.100.1/0

Phase: 6     

Type: VPN    

Subtype: encrypt

Result: DROP 

Config:      

Additional Information:

Result:      

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: drop 

Drop-reason: (acl-drop) Flow is denied by configured rule

I dont understand why result is drop due to acl, i have kept open from HO to Branch on specific subnets and this packet tracer is from the subnet which is permited everything to the remote branch.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Jouni Forss Fri, 03/23/2012 - 00:37

Hi,

I guess the routers are acting as remote VPN Clients in this setup?

To my understanding only the routers can initiate the VPN connection but as you said you are facing other problems too

Ive personally configured some ezvpn clients on 800 and 1800 -series routers and some 5505 ASAs as hardware VPN clients. But I haven't had problems with the traffic after the initial setup.

What does the "show crypto ipsec sa" command show on the ASA when the VPN connection is up?

Does the VPN configuration have any kind of "split-tunneling" configured that might cause the problems with the connections?

It would be helpfull in these kind of cases if you could attach configurations from each end. For me atleast this is just a guessing at the moment.

- Jouni

samueljack Fri, 03/23/2012 - 01:07

Hello,

  • Can we initiate a connection from HO to branch if the HO ASA is configured for dynamic connection??
  • Can you tell me what the packet tracer No:6 is saying, I guess it is encrypting traffic but why it is dropping packet.

Tx

prashantrecon Fri, 03/23/2012 - 01:23

Hi Jouniforss

Same problem i am facing

when i excute show crypto isakmp sa

Phase 1 is up

But when i excute show crypto   ipsec sa

It doesnot show any thing

Far end is 1800 router and our is firewall

As checked both side access-list, transformset is matching.

Jouni Forss Fri, 03/23/2012 - 02:16

Hi,

Jack,

From what I understand you can only establish the VPN connection from ASAs side when its a L2L VPN. With ezvpn and hardware VPN clients, the client device is usually configured to automatically connect to the central VPN device when it has a internet connection. Though there is an option to manually give the username/password during connecting on the CLI. (atleast with routers)

About the VPN phase

I've onlyconfigured L2L VPN recently and in those cases the error message has usually related to the fact that the VPN connection isnt establishing for the connection you are testing. Usually means that the VPN settings dont match. Then again you are using the routers as VPN Clients so I'd guess the error is related to the fact that ASA cant initiate the connection to the client. The Client has to initiate the connection VPN connection first to give access to the remote networks.

Sorry, this is mostly me guessing. I don't really have a solid understanding of these types of VPN

samueljack Thu, 03/29/2012 - 15:16

Dears,

When my branch routers intresting traffic initiate a connection to HO then only intresting traffic subnets from HO are able to initiate a connection.

For example:

Interesting traffic in HO 192.168.1.0 & 192.168.2.0

Interesting traffic in Branch 172.16.10.0 172.16.11.0

If suppose a pc in 172.16.10.0 initiate a connection to 192.168.1.0 then only any other PC in 192.168.1.0 can initiate a connection to branch in 172.16.10.0

If a PC in 192.168.1.0 want to initiate a connection to another subnet of branch suppose 172.16.11.0 the PC gets request timeout BUT if any PC in 172.16.11.0 initiate a connection to 192.168.1.0 then PC's from subnet 192.168.1.0 are also able to reach 172.16.11.0

Is this normal behaviour for one side static and another side dynamic IPSEC vpn.

Actions

Login or Register to take actions

This Discussion

Posted March 22, 2012 at 2:55 PM
Stats:
Replies:6 Avg. Rating:
Views:554 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446