×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

VPN L2L tunnel up between ASA5505 ans Sonicwall but no traffic

Unanswered Question
Jan 18th, 2014
User Badges:

We have a L2L VPN tunnel up between ASA5505 and Sonicwall but I can not ping cross the tunnel. ICMP is allowed on both sides.

I have access to ASA5505 (8.32-k8) but I dont have access for Sonicwall. I have various other L2L tunnels up and running so basic config and cryptopmap is configured correct.


Local has also been natted to a public IP(100.100.100.1), some VPN tunnels access it using public IP and some VPN tunnels access it using private IP.


I am able to see encaps and decaps is happening. Other party is seeing my packets and confirmed that packets are being sent back.

I have bounced the  tunnel. Cleared ARP and XLATE and I even reloaded ASA5505 but no help.


Here is the config in concern:



object-group network objLocalHost
network-object host 192.168.220.251


object-group network objRemoteHost
network-object host 10.0.70.3


access-list acl_map_56 extended permit ip object-group objLocalHost object-group objRemoteHost


nat (inside,any) source static objLocalHost objLocalHost destination static objRemoteHost objRemoteHost unidirectional


object network objLocalHost
nat (inside,outside) static 100.100.100.1 dns


crypto map mymap 56 match address acl_map_56
crypto map mymap 56 set peer 200.200.200.200
crypto map mymap 56 set transform-set ESP-3DES-SHA


tunnel-group 200.200.200.200 type ipsec-l2l
tunnel-group 200.200.200.200 ipsec-attributes
pre-shared-key *****




ASA is sending ICMP request but not seeing any reply


asa5505# debug icmp trace 255

debug icmp trace enabled at level 255

ICMP echo request from inside:192.168.220.251 to outside:10.0.70.3 ID=512 seq=13328 len=32

ICMP echo request from inside:192.168.220.251 to outside:10.0.70.3 ID=512 seq=13584 len=32

ICMP echo request from inside:192.168.220.251 to outside:10.0.70.3 ID=512 seq=13840 len=32






I do not see hitcnt increasing with continous ping on.


evlabfw# sh access-list acl_map_56
  access-list acl_map_56 line 1 extended permit ip host 192.168.220.251 host 10.0.70.3 (hitcnt=8)




isakmp detail shows that tunnel is ACTIVE.


ASA5505# sh cry isakmp sa detail

IKE Peer: 200.200.200.200

Type    : L2L             Role    : initiator

Rekey   : no              State   : MM_ACTIVE

Encrypt : 3des            Hash    : SHA

Auth    : preshared       Lifetime: 86400

Lifetime Remaining: 71507


ipsec details shows that packet are being encaps and decaps


asa5505# sh cry ipsec sa peer 200.200.200.200 detail
peer address: 200.200.200.200
    Crypto map tag: mymap, seq num: 56, local addr: 100.100.100.100

      access-list acl_PiedMont extended permit ip host 192.168.220.251 host 10.0.70.3
      local ident (addr/mask/prot/port): (192.168.220.251/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (10.0.70.3/255.255.255.255/0/0)
      current_peer: 200.200.200.200

      #pkts encaps: 2284, #pkts encrypt: 2284, #pkts digest: 2284
      #pkts decaps: 2284, #pkts decrypt: 2284, #pkts verify: 2284
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2284, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0
      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
      #pkts invalid prot (rcv): 0, #pkts verify failed: 0
      #pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
      #pkts invalid pad (rcv): 0,
      #pkts invalid ip version (rcv): 0,
      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
      #pkts replay failed (rcv): 0
      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 100.100.100.100/0, remote crypto endpt.: 200.200.200.200/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: DF580A74
      current inbound spi : 9E86360C

    inbound esp sas:
      spi: 0x9E86360C (2659595788)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8265728, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (4373865/16220)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xDF580A74 (3747089012)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 8265728, crypto-map: mymap
         sa timing: remaining key lifetime (kB/sec): (4373865/16220)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
S Kumar Sat, 01/18/2014 - 16:38
User Badges:

I see following errors:


Jan 18 2014 07:45:54: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, QM FSM error (P2 struct &0xca8042d0, mess id 0xed2afa71)!

Jan 18 2014 07:45:54: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, Removing peer from correlator table failed, no match!

Jan 18 2014 07:46:29: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, QM FSM error (P2 struct &0xca8042d0, mess id 0x9e4dc491)!

Jan 18 2014 07:46:29: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, Removing peer from correlator table failed, no match!

Jan 18 2014 07:45:54: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, QM FSM error (P2 struct &0xca8042d0, mess id 0xed2afa71)!

Jan 18 2014 07:45:54: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, Removing peer from correlator table failed, no match!

Jan 18 2014 07:46:29: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, QM FSM error (P2 struct &0xca8042d0, mess id 0x9e4dc491)!

Jan 18 2014 07:46:29: %ASA-3-713902: Group = 200.200.200.200, IP = 200.200.200.200, Removing peer from correlator table failed, no match!



I also see on sys log server:

Asymmetric NAT rules matched for forward and reverse flows; Connection for icmp src outside:10.0.70.3 dst inside:192.168.220.251 (type 0, code 0) denied due to NAT reverse path failure

S Kumar Sat, 01/18/2014 - 17:21
User Badges:

After doing some research I tried removing the keyword "unidirectional" and it worked.

Following command fixed the problem, in case someone else is wandering:


no nat (inside,any) source static objLocalHost objLocalHost destination static objRemoteHost objRemoteHost unidirectional

nat (inside,any) source static objLocalHost objLocalHost destination static objRemoteHost objRemoteHost

Actions

This Discussion