ASA to ASA : traffic only flows in direction of tunnel initiation

Unanswered Question
Jan 22nd, 2014
User Badges:

Hi,

I am trying to setup a Site to Site tunnel in our test lab.



192.168.30.0/24 ---> ASA5505 <-------------------------tunnel------------------->ASA5525<-------------10.0.0.0/8


I have the tunnel working and initiates from either direction with an issue. The problem I have is that traffic will only establish and flow in the direction that the tunnel was intitated.


e.g 

  1. if our ASA5505 intitats the IPSec tunnel then connections from 192.168.30.20 to 10.0.10.10 work fine but connections from 10.0.10.10 to 192.168.30.20 do not work.
  2. if our ASA5525 intitats the IPSec tunnel then connections from 10.0.10.10 to 192.168.30.20 work fine but connections from 192.168.30.20 to 10.0.10.10 do not work.


ASA5525 Config.


ASA Version 8.6(1)

!

hostname vpn-asa5525

domain-name mgmt.CENTRAL

enable password ######### encrypted

passwd ######### encrypted

names

!

interface GigabitEthernet0/0

nameif External

security-level 0

ip address 172.16.2.10 255.255.255.0

!

interface GigabitEthernet0/1

description Internal Interface

nameif Internal

security-level 1

ip address 10.0.10.1 255.255.254.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/6

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address X.Y.165.12 255.255.255.0 standby X.Y.165.24

management-only

!

boot system disk0:/asa861-smp-k8.bin

ftp mode passive

clock timezone EST 10

clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00

dns server-group DefaultDNS

domain-name mgmt.CENTRAL

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network ALL_CENTRAL

subnet 10.0.0.0 255.0.0.0

object network BO-1

subnet 192.168.10.0 255.255.255.0

object network BO-3

subnet 192.168.30.0 255.255.255.0

object network BO-2

subnet 192.168.20.0 255.255.255.0

access-list External_cryptomap_1 extended permit ip object ALL_CENTRAL object BO-3

access-list global_access extended permit icmp any any

access-list global_access extended deny ip any any

access-list External_routemap_1 extended permit ip object ALL_CENTRAL object BO-3

no pager

logging enable

logging timestamp

logging standby

logging emblem

logging console informational

logging monitor debugging

logging trap informational

logging asdm informational

mtu External 1500

mtu Internal 1500

mtu management 1500

failover

failover lan unit primary

failover lan interface Interlink GigabitEthernet0/7

failover key *****

failover link Interlink GigabitEthernet0/7

failover interface ip Interlink 172.16.16.1 255.255.255.0 standby 172.16.16.2

icmp unreachable rate-limit 1 burst-size 1

icmp permit any External

icmp permit X.Y.188.0 255.255.255.0 management

icmp permit X.Y.190.0 255.255.255.0 management

asdm image disk0:/asdm-661.bin

asdm history enable

arp timeout 14400

!

route-map TEST_RMAP permit 1

match ip address External_routemap_1

!

route External 0.0.0.0 0.0.0.0 172.16.2.254 1

route Internal 10.0.0.0 255.0.0.0 10.0.11.254 1

route management X.Y.0.0 255.255.0.0 X.Y.165.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http X.Y.0.0 255.255.0.0 management

sysopt connection tcpmss 0

crypto ipsec ikev1 transform-set CENTRAL-crypto-map esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal secure

protocol esp encryption aes 3des des

protocol esp integrity sha-1

crypto map outside_map 1 match address External_cryptomap_1

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 172.16.1.10

crypto map outside_map 1 set ikev1 transform-set CENTRAL-crypto-map

crypto map outside_map 1 set ikev2 ipsec-proposal secure

crypto map outside_map 1 set nat-t-disable

crypto map outside_map 1 set reverse-route

crypto map outside_map interface External

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable External

crypto ikev1 enable External

crypto ikev1 policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh scopy enable

ssh X.Y.0.0 255.255.0.0 management

ssh timeout 5

console timeout 0

no threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl encryption 3des-sha1

webvpn

group-policy GroupPolicy_172.16.1.10 internal

group-policy GroupPolicy_172.16.1.10 attributes

vpn-tunnel-protocol ikev1 ikev2

username sysop password ####### encrypted privilege 15

tunnel-group 172.16.1.10 type ipsec-l2l

tunnel-group 172.16.1.10 general-attributes

default-group-policy GroupPolicy_172.16.1.10

tunnel-group 172.16.1.10 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

no prompt

no call-home reporting anonymous

hpm topN enable

Cryptochecksum:1f647260b1a9e26953c8fdd015ee0c4f

: end



ASA5505 Config


ASA Version 8.6(1)

!

hostname vpn1-5505

domain-name Branch.Office2.com

enable password ######## encrypted

passwd ###### encrypted

names

!

interface Ethernet0/0

switchport access vlan 4

!

interface Ethernet0/1

switchport access vlan 15

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

switchport access vlan 205

!

interface Vlan1

no nameif

no security-level

no ip address

!

interface Vlan4

nameif inside

security-level 2

ip address 192.168.30.1 255.255.255.0

!

interface Vlan15

nameif outside

security-level 1

ip address 172.16.1.10 255.255.255.0

!

interface Vlan205

no forward interface Vlan15

nameif management

security-level 0

ip address X.Y.165.14 255.255.255.0

management-only

!

ftp mode passive

clock timezone EST 10

clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00

dns server-group DefaultDNS

domain-name Branch.Office2.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network LOCAL_NET

subnet 192.168.30.0 255.255.255.0

description BO Internal Network

object network ALL_CENTRAL

subnet 10.0.0.0 255.0.0.0

description All Internal CENTRAL Network

access-list 100 extended permit ip object LOCAL_NET object ALL_CENTRAL log debugging

access-list External_routemap_1 extended permit ip object LOCAL_NET object ALL_CENTRAL log debugging

pager lines 24

logging enable

logging timestamp

logging asdm-buffer-size 512

logging console debugging

logging monitor debugging

logging trap informational

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu management 1500

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

no asdm history enable

arp timeout 14400

!

route-map TEST_RMAP permit 1

match ip address External_routemap_1

!

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

route management X.Y.0.0 255.255.0.0 X.Y.165.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

http server enable

http X.Y.0.0 255.255.0.0 management

http redirect management 80

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set CENTRAL-crypto-map esp-3des esp-sha-hmac

crypto ipsec ikev2 ipsec-proposal secure

protocol esp encryption aes 3des des

protocol esp integrity sha-1

crypto map outside_map 1 match address 100

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 172.16.2.10

crypto map outside_map 1 set ikev1 transform-set CENTRAL-crypto-map

crypto map outside_map 1 set ikev2 ipsec-proposal secure

crypto map outside_map 1 set nat-t-disable

crypto map outside_map 1 set reverse-route

crypto map outside_map interface outside

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh scopy enable

ssh X.Y.0.0 255.255.0.0 management

ssh timeout 5

console timeout 0

no threat-detection basic-threat

no threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption 3des-sha1

webvpn

group-policy GroupPolicy_172.16.2.10 internal

group-policy GroupPolicy_172.16.2.10 attributes

vpn-tunnel-protocol ikev1 ikev2

username sysop password ########## encrypted privilege 15

tunnel-group 172.16.2.10 type ipsec-l2l

tunnel-group 172.16.2.10 general-attributes

default-group-policy GroupPolicy_172.16.2.10

tunnel-group 172.16.2.10 ipsec-attributes

ikev1 pre-shared-key *****

ikev2 remote-authentication pre-shared-key *****

ikev2 local-authentication pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:a585784df82edf735dc3245bf29444a6

: end


Any Suggestions?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
iannicholls1 Thu, 01/23/2014 - 13:07
User Badges:

I have that sysopt setting in there now and it made no difference.


There is no error being reported by the ASA's. the tunnels come up, traffic connects from the initiating site OK but not the other end.


I checked the access-lists to see if any of them are being hit and the traffic from the non initiating site does not trigger any acl's


I can get some debug logs if you know which ones you think would help.


Ian

Actions

This Discussion

Related Content