01-18-2014 04:06 PM
We have a L2L VPN tunnel up between ASA5505 and Sonicwall but I can not ping cross the tunnel. ICMP is allowed on both sides.
I have access to ASA5505 (8.32-k8) but I dont have access for Sonicwall. I have various other L2L tunnels up and running so basic config and cryptopmap is configured correct.
Local has also been natted to a public IP(100.100.100.1), some VPN tunnels access it using public IP and some VPN tunnels access it using private IP.
I am able to see encaps and decaps is happening. Other party is seeing my packets and confirmed that packets are being sent back.
I have bounced the tunnel. Cleared ARP and XLATE and I even reloaded ASA5505 but no help.
Here is the config in concern:
object-group network objLocalHost
network-object host 192.168.220.251
object-group network objRemoteHost
network-object host 10.0.70.3
access-list acl_map_56 extended permit ip object-group objLocalHost object-group objRemoteHost
nat (inside,any) source static objLocalHost objLocalHost destination static objRemoteHost objRemoteHost unidirectional
object network objLocalHost
nat (inside,outside) static 100.100.100.1 dns
crypto map mymap 56 match address acl_map_56
crypto map mymap 56 set peer 200.200.200.200
crypto map mymap 56 set transform-set ESP-3DES-SHA
tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
pre-shared-key *****
ASA is sending ICMP request but not seeing any reply
asa5505# debug icmp trace 255
debug icmp trace enabled at level 255
ICMP echo request from inside:192.168.220.251 to outside:10.0.70.3 ID=512 seq=13328 len=32
ICMP echo request from inside:192.168.220.251 to outside:10.0.70.3 ID=512 seq=13584 len=32
ICMP echo request from inside:192.168.220.251 to outside:10.0.70.3 ID=512 seq=13840 len=32
I do not see hitcnt increasing with continous ping on.
evlabfw# sh access-list acl_map_56
access-list acl_map_56 line 1 extended permit ip host 192.168.220.251 host 10.0.70.3 (hitcnt=8)
isakmp detail shows that tunnel is ACTIVE.
ASA5505# sh cry isakmp sa detail
IKE Peer: 200.200.200.200
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Encrypt : 3des Hash : SHA
Auth : preshared Lifetime: 86400
Lifetime Remaining: 71507
ipsec details shows that packet are being encaps and decaps
asa5505# sh cry ipsec sa peer 200.200.200.200 detail
peer address: 200.200.200.200
Crypto map tag: mymap, seq num: 56, local addr: 100.100.100.100
access-list acl_PiedMont extended permit ip host 192.168.220.251 host 10.0.70.3
local ident (addr/mask/prot/port): (192.168.220.251/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.70.3/255.255.255.255/0/0)
current_peer: 200.200.200.200
#pkts encaps: 2284, #pkts encrypt: 2284, #pkts digest: 2284
#pkts decaps: 2284, #pkts decrypt: 2284, #pkts verify: 2284
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2284, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (rcv): 0,
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 100.100.100.100/0, remote crypto endpt.: 200.200.200.200/0
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: DF580A74
current inbound spi : 9E86360C
inbound esp sas:
spi: 0x9E86360C (2659595788)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8265728, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4373865/16220)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xDF580A74 (3747089012)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 8265728, crypto-map: mymap
sa timing: remaining key lifetime (kB/sec): (4373865/16220)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
01-18-2014 04:38 PM
I see following errors:
Jan 18 2014 07:45:54: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, QM FSM error (P2 struct &0xca8042d0, mess id 0xed2afa71)!
Jan 18 2014 07:45:54: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, Removing peer from correlator table failed, no match!
Jan 18 2014 07:46:29: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, QM FSM error (P2 struct &0xca8042d0, mess id 0x9e4dc491)!
Jan 18 2014 07:46:29: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, Removing peer from correlator table failed, no match!
Jan 18 2014 07:45:54: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, QM FSM error (P2 struct &0xca8042d0, mess id 0xed2afa71)!
Jan 18 2014 07:45:54: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, Removing peer from correlator table failed, no match!
Jan 18 2014 07:46:29: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, QM FSM error (P2 struct &0xca8042d0, mess id 0x9e4dc491)!
Jan 18 2014 07:46:29: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, Removing peer from correlator table failed, no match!
I also see on sys log server:
Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.0.70.3 dst inside:192.168.220.251 (type 0, code 0) denied due to NAT reverse path failure
01-18-2014 05:21 PM
After doing some research I tried removing the keyword "unidirectional" and it worked.
Following command fixed the problem, in case someone else is wandering:
no nat (inside,any) source static objLocalHost objLocalHost destination static objRemoteHost objRemoteHost unidirectional
nat (inside,any) source static objLocalHost objLocalHost destination static objRemoteHost objRemoteHost
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide