Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2572
Views
0
Helpful
22
Replies

RAVPN - Accessing remote l2l's - what's wrong?

Go to solution
dwhyte1985
Level 1
Level 1

‎04-11-2012 08:19 AM - edited ‎03-11-2019 03:52 PM

Hello,

Please find attached.

VPN (192.168.70.0/24) can connect to Internal LAN (192.168.10.0/23) but not the connected sites. These are working fine as can be pinged on the inside interface. When RAVPN tries it times out. Assuming remote end is correctly configured with same ACLS, what am I missing?

Very frustrating, a wealth of information online but alot of it is very hard to 'get'.

Simply I want remote the RAVPN clients to be able to get to remote sites, it works to the internal.

Labels:
126165-vpn-cfg.txt.zip
0 Helpful
22 Replies 22

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to dwhyte1985

‎04-12-2012 08:48 AM

Hi,

Do you have an option to remotely create connections from the remote L2L VPN site towards the VPN Pool? Or have someone else do it or for example send continuous ICMP from the site?

If you can I guess this could provide the possibility to check if the L2L VPN section is OK. If you can generate that traffic and at the same time monitor if the VPN shows that traffic with the above mentioned command, you could atleast confirm that and we could concentrate on the VPN Client configurations and troubleshooting.

- Jouni

0 Helpful

Go to solution
dwhyte1985
Level 1
Level 1
In response to Jouni Forss

‎04-12-2012 08:53 AM

Hello,

I've attached a log where i was pinging from both ends at the same time, if this helps please let me know - unable to do continuous though.

Draytek @ 192.168.20.0/24

ASA Internal @ 192.168.10/23
--> RAVPN @ 192.168.70.0/24

Please find attached.

126251-log.zip
0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to dwhyte1985

‎04-12-2012 09:13 AM

Im not sure if I missed but I dont see any ICMP messages regarding the VPN Pool IP addresses of 192.168.70.0/24 ?

Can you ping both from the remote site using their local address to the VPN Client pool and vice versa and use ASDM to log the output or just copy it in the format you did the last.

- Jouni

0 Helpful

Go to solution
dwhyte1985
Level 1
Level 1
In response to Jouni Forss

‎04-12-2012 09:18 AM

192.168.70.2|21047|Teardown UDP connection 28491659 for Outside:84.252.252.154/33960 to Outside:192.168.70.2/21047 duration 0:02:41 bytes 489

192.168.70.2|63222|195.74.159.97|60843|Teardown dynamic TCP translation from any:192.168.70.2/63222 to Outside:195.74.159.97/60843 duration 0:02:30

192.168.70.2|63221|84.252.252.155|80|Teardown TCP connection 28490636 for Outside:192.168.70.2/63221 to Outside:84.252.252.155/80 duration 0:02:38 bytes 36175 Tunnel has been torn down

Any help?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to dwhyte1985

‎04-12-2012 09:30 AM

Hey,

Those messages seem to be about the connections that your VPN client takes to Internet through you ASA firewall.

They dont have a destination network 192.168.20.0/24 in them.

- Jouni

0 Helpful

Go to solution
dwhyte1985
Level 1
Level 1
In response to Jouni Forss

‎04-13-2012 01:21 AM

Apologies, please see below:

192.168.70.2 1 192.168.20.1 0 Teardown ICMP connection for faddr 192.168.70.2/1(LOCAL\SARemote) gaddr 192.168.20.1/0 laddr 192.168.20.1/0 (SARemote)
192.168.70.2 1 192.168.20.1 0 Built inbound ICMP connection for faddr 192.168.70.2/1(LOCAL\SARemote) gaddr 192.168.20.1/0 laddr 192.168.20.1/0 (SARemote)
192.168.70.2 1 192.168.20.1 0 Teardown ICMP connection for faddr 192.168.70.2/1(LOCAL\SARemote) gaddr 192.168.20.1/0 laddr 192.168.20.1/0 (SARemote)
192.168.70.2 1 192.168.20.1 0 Teardown ICMP connection for faddr 192.168.70.2/1(LOCAL\SARemote) gaddr 192.168.20.1/0 laddr 192.168.20.1/0 (SARemote)
192.168.70.2 1 192.168.20.1 0 Built inbound ICMP connection for faddr 192.168.70.2/1(LOCAL\SARemote) gaddr 192.168.20.1/0 laddr 192.168.20.1/0 (SARemote)
192.168.70.2 1 192.168.20.1 0 Teardown ICMP connection for faddr 192.168.70.2/1(LOCAL\SARemote) gaddr 192.168.20.1/0 laddr 192.168.20.1/0 (SARemote)
192.168.70.2 59952   Failed to locate egress interface for UDP from Outside:192.168.70.2/59952 to 239.255.255.250/1900
192.168.70.2 1 192.168.20.1 0 Built inbound ICMP connection for faddr 192.168.70.2/1(LOCAL\SARemote) gaddr 192.168.20.1/0 laddr 192.168.20.1/0 (SARemote)
192.168.70.2 1 192.168.20.1 0 Teardown ICMP connection for faddr 192.168.70.2/1(LOCAL\SARemote) gaddr 192.168.20.1/0 laddr 192.168.20.1/0 (SARemote)
192.168.70.2 1 192.168.20.1 0 Built inbound ICMP connection for faddr 192.168.70.2/1(LOCAL\SARemote) gaddr 192.168.20.1/0 laddr 192.168.20.1/0 (SARemote)
192.168.70.2 1 192.168.20.1 0 Teardown ICMP connection for faddr 192.168.70.2/1(LOCAL\SARemote) gaddr 192.168.20.1/0 laddr 192.168.20.1/0 (SARemote)
192.168.70.2 54720 192.168.10.1 53 Teardown UDP connection 29298712 for Outside:192.168.70.2/54720(LOCAL\SARemote) to inside:192.168.10.1/53 duration 0:00:00 bytes 96 (SARemote)


0 Helpful

Go to solution
mohan1973
Level 1
Level 1
In response to Jouni Forss

‎05-06-2012 05:51 PM

Hi JouniForss,

I was facing the same problem and your suggestion below solved my problem and thank you very much.

JouniForss wrote:
Hi,
I think you need the following command atleast 
same-security-traffic permit intra-interface
It allows the traffic leave the same interface its arrived
From Cisco material:
same-security-traffic intra-interface

command lets traffic enter and exit the same interface, which is  normally not allowed. This feature might be useful for VPN traffic that  enters an interface, but is then routed out the same interface. The VPN  traffic might be unencrypted in this case, or it might be reencrypted  for another VPN connection. For example, if you have a hub and spoke VPN  network, where the ASA is the hub, and remote VPN networks are spokes,  for one spoke to communicate with another spoke, traffic must go into  the ASA and then out again to the other spoke. 
Also on that note, why is your outside interface also at security-level 100?
You also seems to have some extra networks in the first NAT rule
nat (Outside,Outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static NETWORK_OBJ_192.168.70.0_24 NETWORK_OBJ_192.168.70.0_24 no-proxy-arp route-lookup
The DM_INLINE_NETWORK_1 includes your local LAN network which isnt located outside. Not sure if it really matters if its there but just something that I noticed when looking at the configurations.
- Jouni
0 Helpful

Go to solution
dwhyte1985
Level 1
Level 1
In response to mohan1973

‎05-07-2012 01:23 AM

So, a very slow update... (Draytek support):

Vigor routers doesn't support multiple IPSec SA(security association)
on single tunnel.A 'more' option only works between draytek routers to
route traffic to additional IP subnets.
I suggest you to enable another VPN profile to ASA public address but
use 192.168.70.0/24 as remote LAN subnet. 
Vigor routers doesn't support multiple IPSec SA(security association)
on single tunnel.A 'more' option only works between draytek routers to
route traffic to additional IP subnets.
I suggest you to enable another VPN profile to ASA public address but
use 192.168.70.0/24 as remote LAN subnet.

Draytek doesn't like it unless it's a Draytek device at the other end! I am giving Jouni correct answer as his troubleshooting would have fixed a cisco to cisco device.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card