Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Site to Site VPN between ASA5510 and Sonicwall TZ200

          Hi,

I have setup a site to site VPN between Cisco asa5510 and Sonicwall tz200, the tunnel established successfully, but there is no traffice crossing tunnel. everythi is ok on the Sonicwall side, but asa is somehow blocking all the inbound and outboud traffic. I'm using the ASDM and the backet tracer is giving: packet dropped, IPsec spoofing.

Your help and advise are greatly appreciated.

Thanks,

Basel.

19 REPLIES
New Member

Re: Site to Site VPN between ASA5510 and Sonicwall TZ200

When you are using the packet tracer are you tracing from the interface IP, if you do you will get the error you are experiencing.

Sent from Cisco Technical Support iPad App

New Member

Re: Site to Site VPN between ASA5510 and Sonicwall TZ200

Yes, you're right, I'm tracing from the interface IP, so how can I trace inbound\outbound to the VPN tunnel which setup on this interface?

Thanks.

New Member

Re: Site to Site VPN between ASA5510 and Sonicwall TZ200

Try pinging an address on either side of the VPN not the interface IP's.

Sent from Cisco Technical Support iPad App

Re: Site to Site VPN between ASA5510 and Sonicwall TZ200

Hello Basel,

How do you know the ASA is the L3 device dropping the traffic?

Can you share the show crypto ipsec sa peer x.x.x.x (IP address of the Sonic wall Public IP) output?

An ASP-drop capture will let us know if the ASA is dropping the traffic

cap asp type asp-drop all circular-buffer

Try to send some traffic over the VPN tunnel and do the following

show cap asp | include x.x.x.x (source IP address you used to source traffic over the VPN tunnel)

What do U get?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Site to Site VPN between ASA5510 and Sonicwall TZ200

Thank you Julio,

I'm not that familier with this appliance, but I ran the command you have suggested in the global mode, and I did not get any output, nor error, I just got the prompt back.

I genreated a traffic from: 192.168.5.30 and ran the following:   show cap asp | include 192.168.5.30

and had no output.

Thanks.

Re: Site to Site VPN between ASA5510 and Sonicwall TZ200

Hello Basel,

The ASP capture also known as the Accelerated Security Path capture (ASP is the algorithm the ASA uses in order to allow or deny traffic based on the different rule policies set on it) will show us all of the packets being dropped by the ASA.

That being said as you run it with no output it means the ASA is not dropping any traffic related to that IP in that moment.

Do the following on the ASA

Fixup protocol icmp

managment-access inside

and then

ping inside x.x.x.x (Host on the other site of the tunnel)

What's the result?

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Site to Site VPN between ASA5510 and Sonicwall TZ200

This command did not go through, I got the following:

asa# fixup protocal icmp

            ^

ERROR: % Invalid input detected at '^' marker.

asa# Fixup protocol icmp

            ^

ERROR: % Invalid input detected at '^' marker.

asa# fixup protocal icmp

            ^

ERROR: % Invalid input detected at '^' marker.

asa# Fixup protocol icmp

            ^

ERROR: % Invalid input detected at '^' marker.

Re: Site to Site VPN between ASA5510 and Sonicwall TZ200

Hello Basel,

You got to be on configuration terminal mode

config te

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,
Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Site to Site VPN between ASA5510 and Sonicwall TZ200

Here is the output:

Sending 5, 100-byte ICMP Echos t

?????

Success rate is 0 percent (0/5)

Sending 5, 100-byte ICMP Echos t

?????

Success rate is 0 percent (0/5)

Re: Site to Site VPN between ASA5510 and Sonicwall TZ200

Hello,

Did you enable ICMP inspection? Did you add the managment-access inside? Did you use ping inside x.x.x.x ?

Can you share the output of

show crypto IPSec sa

note: Hide the public IP addresses from the output

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Re: Site to Site VPN between ASA5510 and Sonicwall TZ200

Hi Julio,

Everything seems to be ok in this access list. I think this is a routing issue. It is just does not know where to send the packet back or where to reply.

Crypto map tag: XXXX_map, seq num: 7, local addr: x.x.x.x

   access-list XXXX_7_cryptomap permit ip x.x.x.x x.x.x.x x.x.

x.x x.x.x.x

   local ident (addr/mask/prot/port): (local network and subnet)

   remote ident (addr/mask/prot/port): (Remote network and subnet)

   current_peer: x.x.x.x

   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

   #pkts decaps: 9122, #pkts decrypt: 9122, #pkts verify: 9122

   #pkts compressed: 0, #pkts decompressed: 0

   #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

   #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

   #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

   #send errors: 0, #recv errors: 0

   local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

   path mtu 1500, ipsec overhead 58, media mtu 1500

   current outbound spi:

inbound esp sas:

   spi:

       transform: esp-des esp-md5-hmac none

       in use settings ={L2L, Tunnel, }

       slot: 0, conn_id: .., crypto-map: xxxx_map

       sa timing: remaining key lifetime (sec): 18731

       IV size: 8 bytes

       replay detection support: Y

outbound esp sas:

   spi:

       transform: esp-des esp-md5-hmac none

       in use settings ={L2L, Tunnel, }

       slot: 0, conn_id: 8849, crypto-map: xxxx_map

       sa timing: remaining key lifetime (sec): 18673

       IV size: 8 bytes

       replay detection support: Y

Site to Site VPN between ASA5510 and Sonicwall TZ200

Hello Basel,

We can see packets being decrypted but no packets being encrypted.

What version are you runnning (If 8.2.5) can you reload the FW and let us know how it goes after rebooting it

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Site to Site VPN between ASA5510 and Sonicwall TZ200

I'm pretty sure that this is a routing issue, since ASA is receiving the packet, and dropping it since it does not know where to return it to:


There is no route to the VPN tunnel in here:

asa# show run route

route Inside 172.16.21.0 255.255.255.0 192.168.0.205 1
route Inside 10.10.12.0 255.255.255.0 192.168.0.205 1
route Outside 172.16.21.0 255.255.255.0 192.168.0.1 2
route Outside 0.0.0.0 0.0.0.0 x.x.x.x

asa#

Non of them is a route to the site to site VPN.

Can you please let me know how I can add this route?

Since this device is being used for Internet browsing the following route exist to route to our ISP:  route Outside 0.0.0.0 0.0.0.0 x.x.x.x

So I need to add a route to the VPN and keep the internet traffic routed to our ISP.


By the way the asa version is 7.2

Your help is greatly appreciated.

Site to Site VPN between ASA5510 and Sonicwall TZ200

Hello Basel,

I'm pretty sure that this is a routing issue, since ASA is receiving the packet, and dropping it since it does not know where to return it to:

This is incorrect as you do have a default route,

I will need more information (The running configuration) please send it to me

Also I will need to know the remote subnet IP address and local Ip address ( Is it 172.16.21.0 or 10.10.12.0)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Site to Site VPN between ASA5510 and Sonicwall TZ200

Could this NAT policy be the reason?

access-list Inside_nat0_outbound extended permit ip 192.168.0.0 255.255.0.0 172

16.149.0 255.255.255.0

192.168.0.0/16   is the local subnet

172.16.149.0/24  is the remote subnet

Site to Site VPN between ASA5510 and Sonicwall TZ200

Hello Basel,

No,

That nat 0 is good

do you have?

nat (inside) 0 access-list inside_nat0_outbound ??

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Site to Site VPN between ASA5510 and Sonicwall TZ200

yes it is there:

nat (Inside) 0 access-list Inside_nat0_outbound

Site to Site VPN between ASA5510 and Sonicwall TZ200

Then You are good,

You possitive the Crypto ACL is fine?

Any ACL on the inside interface blocking the traffic?

Do the following

cap capin interface inside match ip any 172.16.149.0 255.255.255.0

cap asp type asp-drop all circular-buffer

Then try to access any host there and d o

show cap capin

show cap asp | include 172.16.149.x (The IP address you accessed or try to)

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Site to Site VPN between ASA5510 and Sonicwall TZ200

Just to mention that both wan interfaces IPs on both ends are on the same subnet   /27 . Could that be an issue?

1074
Views
20
Helpful
19
Replies
CreatePlease to create content