site to site vpn question

blackswans · ‎01-02-2014

Hi,

These are the two ACLs of two site to site vpns. The first vpn is working fine but the second vpn is working one way. Local subnet y.y.y.y cannot send traffic to the remote site. Can it be a problem because of the first vpn subnet is overlapping with the second one?

1st site to site vpn works fine

Local subnet : x.x.x.x Remote subnet : 192.168.0.0/16

2nd site to site vpn - one way

Local subnet : y.y.y.y Remote subnet : 192.168.1.0/24

Thanks.

Jouni Forss · ‎01-02-2014

Hi,

If you look at the output of the following command

show run crypto map

And if you see that the L2L VPN connection with the network 192.168.0.0/16 is with a smaller sequence/order/priority number in the Crypto Map then all the traffic destined to that large network will match this L2L VPN and not the other VPN with the more specific network.

You could try adding this line to the L2L VPN with the large network

access-list line 1 deny ip 192.168.1.0 255.255.255.0

And see if that enables you to use the second new L2L VPN without changing the subnets/networks in the L2L VPN configurations.

Hope this helps

- Jouni

blackswans · ‎01-03-2014

Hi,

Thanks for the information, I've added the line to the ACL but still I do not see traffic increasing TX.

access-list Outside_cryptomap_6 line 1 extended permit ip y.y.y.y 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=7)

I want to add that the source ip subnets are different why it wants to go the the large network?

Jouni Forss · ‎01-03-2014

Hi,

Ah, didnt notice that the source networks on your side are different. Then the overlapping destination network should not cause problems to my understanding.

I would suggest using the "packet-tracer" command to confirm that the traffic indeed matches the L2L VPN configurations at all. That it for example DOES NOT match the wrong NAT rule.

packet-tracer input tcp 12345 192.168.1.x

Please add the correct source/input interface on your ASA, the correct source IP address that should match the L2L VPN configuration and add the correct destination IP address and port.

This should give us some picture of the situation.

- Jouni

blackswans · ‎01-03-2014

It says Phase3 ACL is dropping but I do not see any ACL in the interface... It allows any to any less secure networks.

packet-tracer input CUSTOMER tcp [fw_vlan_interface_ip] 12345 192.168.1.123 12345

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in 192.168.1.0 255.255.255.0 Outside

Phase: 3

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: CUSTOMER_INTERFACE

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Marius Gunnerud · ‎01-03-2014

You need to run the packet tracer twice in a row. the first packet tracer will drop as the tunnel might not yet be. So the first packet tracer brings up the tunnel and then the second packet tracer will show the correct trace. I would also suggest using an IP that is not the firewall interface as this can sometimes (depending on the configuration) show as a drop.

Have you ensured that the ACL that defines interesting traffic at the remote end is correctly configured?

And although this is probably not the issue, check to make sure that the test PC has an IP in the correct range.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts