01-02-2014 10:52 PM - edited 03-11-2019 08:24 PM
Hi,
These are the two ACLs of two site to site vpns. The first vpn is working fine but the second vpn is working one way. Local subnet y.y.y.y cannot send traffic to the remote site. Can it be a problem because of the first vpn subnet is overlapping with the second one?
1st site to site vpn works fine
Local subnet : x.x.x.x Remote subnet : 192.168.0.0/16
2nd site to site vpn - one way
Local subnet : y.y.y.y Remote subnet : 192.168.1.0/24
Thanks.
01-02-2014 11:28 PM
Hi,
If you look at the output of the following command
show run crypto map
And if you see that the L2L VPN connection with the network 192.168.0.0/16 is with a smaller sequence/order/priority number in the Crypto Map then all the traffic destined to that large network will match this L2L VPN and not the other VPN with the more specific network.
You could try adding this line to the L2L VPN with the large network
access-list
And see if that enables you to use the second new L2L VPN without changing the subnets/networks in the L2L VPN configurations.
Hope this helps
- Jouni
01-03-2014 12:16 AM
Hi,
Thanks for the information, I've added the line to the ACL but still I do not see traffic increasing TX.
access-list Outside_cryptomap_6 line 1 extended permit ip y.y.y.y 255.255.255.0 192.168.1.0 255.255.255.0 (hitcnt=7)
I want to add that the source ip subnets are different why it wants to go the the large network?
01-03-2014 12:21 AM
Hi,
Ah, didnt notice that the source networks on your side are different. Then the overlapping destination network should not cause problems to my understanding.
I would suggest using the "packet-tracer" command to confirm that the traffic indeed matches the L2L VPN configurations at all. That it for example DOES NOT match the wrong NAT rule.
packet-tracer input tcp
Please add the correct source/input interface on your ASA, the correct source IP address that should match the L2L VPN configuration and add the correct destination IP address and port.
This should give us some picture of the situation.
- Jouni
01-03-2014 12:49 AM
It says Phase3 ACL is dropping but I do not see any ACL in the interface... It allows any to any less secure networks.
packet-tracer input CUSTOMER tcp [fw_vlan_interface_ip] 12345 192.168.1.123 12345
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.1.0 255.255.255.0 Outside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: CUSTOMER_INTERFACE
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
01-03-2014 01:14 AM
You need to run the packet tracer twice in a row. the first packet tracer will drop as the tunnel might not yet be. So the first packet tracer brings up the tunnel and then the second packet tracer will show the correct trace. I would also suggest using an IP that is not the firewall interface as this can sometimes (depending on the configuration) show as a drop.
Have you ensured that the ACL that defines interesting traffic at the remote end is correctly configured?
And although this is probably not the issue, check to make sure that the test PC has an IP in the correct range.
--
Please remember to rate and select a correct answer
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: