07-29-2010 07:13 AM - edited 03-11-2019 11:18 AM
Hi.
I have problems with an ASA 5510 and GRE.
I can't make a gre tunnel from the inside network to a host on the internet. I only get to the part where I have to enter the username and password and there it breaks. I get a teardown gre connection in the logs exactly after 30 sec.
The inside network and outside network both have real ip addresses so I have no NAT configured and no need for NAT.
I tried fixup protocol pptp 1723 and inspect pptp.
The ACLs allow both gre and tcp 1723 both on the outside and on the inside (I also tried with allow ip any any to be sure it's not ACL related).
Any ideas?
07-29-2010 07:25 AM
Hello,
Can you please post the output of "show service-policy" and "show asp drop"
commands? Please follow below steps before collecting the output:
-- Clear the counters i.e. clear service-policy & clear asp drop
-- Initiate a GRE tunnel session
-- Once it fails, issue "show service-policy" and "show asp drop"
Regards,
NT
07-29-2010 07:32 AM
Hello
Thanks for the reply. Here is the output:
Result of the command: "show service-policy"
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 743, drop 0, reset-drop 0
Inspect: ftp, packet 0, drop 0, reset-drop 0
Inspect: h323 h225 _default_h323_map, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: h323 ras _default_h323_map, packet 0, drop 0, reset-drop 0
Inspect: rsh, packet 0, drop 0, reset-drop 0
Inspect: rtsp, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: esmtp _default_esmtp_map, packet 0, drop 0, reset-drop 0
Inspect: sqlnet, packet 0, drop 0, reset-drop 0
Inspect: skinny , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: sunrpc, packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: xdmcp, packet 0, drop 0, reset-drop 0
Inspect: sip , packet 0, drop 0, reset-drop 0
tcp-proxy: bytes in buffer 0, bytes dropped 0
Inspect: netbios, packet 3, drop 0, reset-drop 0
Inspect: tftp, packet 0, drop 0, reset-drop 0
Inspect: ip-options _default_ip_options_map, packet 0, drop 0, reset-drop 0
Inspect: pptp, packet 14, drop 0, reset-drop 0
Interface inside10:
Service-policy: inside10-policy
Class-map: inside10-class
IPS: card status Up, mode inline fail-open, sensor vs0
packet input 0, packet output 0, drop 0, reset-drop 0
Interface outside:
Service-policy: pptp_policy
Class-map: pptp-port
Inspect: pptp, packet 0, drop 0, reset-drop 0
Class-map: outside-class
IPS: card status Up, mode inline fail-open, sensor vs0
packet input 0, packet output 0, drop 0, reset-drop 0
Result of the command: "show asp drop"
Frame drop:
First TCP packet not SYN (tcp-not-syn) 145
TCP failed 3 way handshake (tcp-3whs-failed) 21
TCP RST/FIN out of order (tcp-rstfin-ooo) 21
Dropped pending packets in a closed socket (np-socket-closed) 2
Last clearing: 17:29:07 EEDT Jul 29 2010 by enable_15
Flow drop:
Last clearing: 17:29:07 EEDT Jul 29 2010 by enable_15
07-29-2010 07:43 AM
Hello,
I see that you have an IPS module installed on the firewall. Can you bypass
the IPS module for the PPTP traffic and see if that helps?
Regards,
NT
07-29-2010 07:45 AM
Hi
I bypassed the IPS for all the traffic with the same result
07-29-2010 09:02 AM
can you collect some captures on the inside and outside of ASA, so that we can see where it is failing
also have you tried bypassing the firewall does it work fine (just to confirm that the configuration is fine)
any way the captures on ASA's inside and outside will tell us who and hopefully why the device is dropping the packet
07-29-2010 10:44 AM
Hello,
What is the code version you are running on the firewall?
Regards,
NT
07-29-2010 01:10 PM
Post the log level 7.
Post the config.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: