Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Weird One Way VPN tunnel issue

Site A ASA5550 with vlan1, vlan2, and vlan3 <~~ Headquarter

Site B ASA5510 with vlan1

Site C ASA5505 with vlan1

Site A is a HQ and we have Site-to-Site VPN set for all sites with IPsec IKEv1 IPsec

Site A <--> Site B

Site A <--> Site C

Problem is on Site A HQ to Site B. For some reason VPN tunnel only establishes in one direction Site B to Site A but not Site A to Site B. When I logout the Site-to-Site VPN for Site A <-> Site B, there is no way for Site A to ping or connect to any server to Site B unless Site B ping or establish connections to Site A first, then Site A can ping or connect to Site B afterwards. The get around right now is I will need to ask someone from SIte B to ping Site A vlan1, vlan2, and vlan3 so that I can connect from Site A to Site B. All ASA is on the latest 8.4(3) version.

Site A <~> Site C works perfect fine without any probelm!! When I logout the Site-to-Site VPN for Site A <~> SIte C, the VPN tunnel established right away from either Site A to Site C or Site C to Site A.

Any suggestion on what should I look for before posting any configurations?

Thank you in advance. =)

28 REPLIES

Weird One Way VPN tunnel issue

First, please check whether you have a static route pushing site B traffic toward to default gateway on Site "A " ASA5550.

if that does not help, please copy your config on the forum for easy of trouble shooting from ASA5550.

Thanks

Rizwan Rafeek

New Member

Weird One Way VPN tunnel issue

Thanks for your quick reply rizwanr74! Yes we do have static routes setup on Site A ASA5550 and both Site B and Site C outside interface are there with Site A Gateway IP on it.

Weird One Way VPN tunnel issue

Hello,

Can you check the crypto ACL configuration on both sides and paste it in here so we can take a look at it?

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Weird One Way VPN tunnel issue

Thanks for your reply Julio. What command should I type in to show just the cryptop ACL configuration? I'm doing my best to show just the information you guys are looking for instead of the whole configuration file.

Weird One Way VPN tunnel issue

Hello,

Under the crypto maps, you will see a match x.x.x.x ( where the x.x.x is the ACL that we are looking for)

We need both sites ACL (Branch and Site C)

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Weird One Way VPN tunnel issue

Is that what you are looking for? THANKS!!!

Site A HQ ASA

crypto map outside_map 3 match address outside_cryptomap_2

crypto map outside_map 3 set peer (Site B ISP IP)

crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 3 set reverse-route

crypto map outside_map 5 match address outside_cryptomap_3

crypto map outside_map 5 set peer (Site C ISP IP)

crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

Site B Branch ASA

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer (Site A ISP IP)

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 1 set reverse-route

crypto map outside_map 3 match address outside_cryptomap

crypto map outside_map 3 set peer (Site C ISP IP)

crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map 3 set reverse-route

Site C Branch ASA

crypto map outside_map0 1 match address outside_cryptomap

crypto map outside_map0 1 set peer (Site A ISP IP)

crypto map outside_map0 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 1 set reverse-route

crypto map outside_map0 2 match address outside_cryptomap_1

crypto map outside_map0 2 set peer (Site B ISP IP)

crypto map outside_map0 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map outside_map0 2 set reverse-route

Re: Weird One Way VPN tunnel issue

Hello,

Now on the ASA on Site A, please get the following

show run access-list outside_cryptomap_2

Now on the ASA on Site B, please get the following

show run access-list address outside_1_cryptomap

Regards,

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Weird One Way VPN tunnel issue

Site A HQ ASA

show run access-list outside_cryptomap_2

access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_12

Site B Branch ASA

show run access-list outside_1_cryptomap

access-list outside_1_cryptomap extended permit ip object-group DM_INLINE_NETWORK_3 object-group SiteA-Network

Thank You!!

Re: Weird One Way VPN tunnel issue

Hello IT,

ASA HQ Site A

On the Site A HQ ASA

Can you look for the configuration of this Object group DM_INLINE_NETWORK_12, Is this the network on the other site ( Site B) ?

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Weird One Way VPN tunnel issue

Julio,

DM_INLINE_NETWORK_12 is only exited on Site A HQ ASA under outside_cryptomap_2

Source: Site A vlan1, Site A vlan2, Site A vlan3

Destination: Site B Network

Service: IP

I don't see any DM_INLINE_NETWORK_12 under Site B ASA. I believed DM_INLINE_NETWORK_12 was created automatically by using the ASDM wizard (some one else created long ago)

Thanks!

Re: Weird One Way VPN tunnel issue

Hello,

On Site A:

Please do the following:

packet-tracer input inside tcp x.x.x.x (Host ip on vlan A  site A) 1025 x.x.x.x (Host on other site of the tunnel-SiteB) 80

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Weird One Way VPN tunnel issue

Site A HQ ASA:

packet-tracer input inside tcp x.x.x.x (VLAN1 IP on Site A) 1025 x.x.x.x (Host IP on Site B) 80

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   SiteB-network 255.255.0.0     outside

Phase: 3

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 4

Type: FILTER

Subtype: filter-ftp

Result: ALLOW

Config:

Additional Information:

Phase: 5

Type: FILTER

Subtype: filter-url

Result: ALLOW

Config:

Additional Information:

Phase: 6

Type:

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8   destination static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10

Additional Information:

Static translate x.x.x.x (VLAN1 IP Address)/1025 to x.x.x.x (VLAN1 IP Address)/1025

Phase: 8

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Phase: 9

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 644050669, packet dispatched to next module

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

Weird One Way VPN tunnel issue

Hello,

On the packet tracer we can see is hitting a static rule, thing that should not happen!

Can we see the show run static, show run nat, sh run global.. And the ACLs for the nat 0( you will see a nat statement with an ID of 0 holding an ACL, I would like to see that acl-Show run acl xxxx (name)

Regards,

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Weird One Way VPN tunnel issue

Julio,

I tired show run-config static and show run-config global but both doesn't work... not sure why... I did not see any NAT 0 on my configure file or what exact command do I need to type in to find out? Please see below for everything I found related to NAT and ACL

Thanks again for all of your help!

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Site A ASA show run nat

nat (inside,outside) source static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8   destination static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10

!

object network inside-network

nat (inside,outside) dynamic outside-defaultnat 

!

-----------------------------------------------------------------------------------------------------------------------------------------------------------------

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_3

access-list inside_nat0_outbound extended permit ip object-group DM_INLINE_NETWORK_8 object-group DM_INLINE_NETWORK_10

access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_12

Weird One Way VPN tunnel issue

Hello,

Yes, the nat is properly configured, can you check the show run route?

There got a be a route going to the DM_INLINE_NETWORK_10 going to the outside ( it my be a route outside 0.0.0.0 0.0.0.0)

Can you confirm that?

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Weird One Way VPN tunnel issue

Julio,

Site A ASA show run route

route inside inside-network 255.255.252.0 10.255.255.254 1

route inside x.x.x.x (VLAN 1 IP) 255.255.0.0 10.255.255.254 1

route inside x.x.x.x (VLAN 2 IP) 255.255.0.0 10.255.255.254 1

route inside x.x.x.x (VLAN 3 IP) 255.255.0.0 10.255.255.254 1

route outside Site B-network 255.255.0.0 x.x.x.x 1 (Site A Host)

route outside Site C-network 255.255.0.0 x.x.x.x 1 (Site A Host)

That's the thing I don't understand.. Site C network got similar setting as Site B on Site A ASA and it is working fine... =(

Thanks!

Weird One Way VPN tunnel issue

Hello,

Yes, I understand what you mean. Can you check the transform-set used on the Site A with the Site B transform set?

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Weird One Way VPN tunnel issue

Julio,

What command do you want me to type in to check on the transform set?

Thants the thing.. I don't think the probelm is on the site-to-site VPN settings because the tunnel works fine as long as Site B established the connections first by Pinging/connectiong to anything from Site A. Site B and Site C are using the same Site to site VPN Group Policy on Site A ASA.

Thanks!

Weird One Way VPN tunnel issue

Hello IT,

Correct, but the thing is the packet tracer shows that everything is working fine on this site (A). So my next question would be:

Is site B receiving the traffic?

For that you can do a capture from one host on site A to one host on site B

access-list test permit ip host_A_ip host_b_ip

access-list test permit ip host_b_ip  host_A_ip

capture capin access-list test interface inside

You should do this configuration on both ASAS.

Then do a Show cap capin on both ASAs, and provide the output.....

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Re: Weird One Way VPN tunnel issue

Julio,

I did the following on both ASA

Site A ASA HQ

Access-list test permit ip host x.x.x.x (Site A Host IP) host x.x.x.x (Site B Host IP)

Access-list test permit ip host x.x.x.x (Site B Host IP) host x.x.x.x (Site A Host IP)

Capture capin access-list test interface inside

Site B ASA Branch

Access-list test permit ip host x.x.x.x (Site B Host IP) host x.x.x.x (Site A Host IP)

Access-list test permit ip host x.x.x.x (Site A Host IP) host x.x.x.x (Site B Host IP)

Capture capin access-list test interface inside

then type in show cap capin on both ASA and get the following results.

Result of the command: "show cap capin"

0 packet captured

0 packet shown

Anything am I missing?

Re: Weird One Way VPN tunnel issue

Hello,

Did you send some traffic from Site A Host IP to the host on site B???

You should get some traffic at least on Site A?

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Weird One Way VPN tunnel issue

Julio,

I changed the IP to the following, did the ping /t between and get the following response.

Site A ASA HQ

Access-list test permit ip host x.x.x.x (Site A My PC IP) host x.x.x.x (Site B Server IP)

Access-list test permit ip host x.x.x.x (Site B Server IP) host x.x.x.x (Site A My PC IP)

Capture capin access-list test interface inside

Site B ASA Branch

Access-list test permit ip host x.x.x.x (Site B Server IP) host x.x.x.x (Site A My PC IP)

Access-list test permit ip host x.x.x.x (Site A My PC IP) host x.x.x.x (Site B Server IP)

Capture capin access-list test interface inside

Site A ASA HQ

Result of the command: "show cap capin"

   1: 16:40:23.785588 (Site A My PC IP).51262 > (Site B Server IP).3389: . ack 227846090 win 253

   2: 16:40:24.644757 (Site A My PC IP)> (Site B Server IP): icmp: echo request

   3: 16:40:24.788624 (Site A My PC IP).51262 > (Site B Server IP).3389: . ack 227846143 win 258

   4: 16:40:25.645810 (Site A My PC IP)> (Site B Server IP): icmp: echo request

3706 packets captured

Site B ASA Branch

show cap capin

   1: 08:31:37.574692 (Site B Server IP).3389 > (Site A My PC IP)..51262: P 3045221942:3045221995(53) ack 1733105712 win 255
   2: 08:31:37.837526 (Site A My PC IP).> (Site B Server IP):: icmp: echo request
   3: 08:31:37.837725 (Site B Server IP): > (Site A My PC IP).: icmp: echo reply
   4: 08:31:37.954860 (Site A My PC IP)..51262 > (Site B Server IP):.3389: . ack 3045221995 win 254

3706 packets captured

Re: Weird One Way VPN tunnel issue

Hello IT.

On the capture we can see that the Site B is receiving the traffic from site A, then that traffic is being decrypted sent to the inside interface to the host, The host replies and the packet never reaches the Site A, that is our problem here,

I think the fastest way to solve this issue would be seeing the configuration of boths ASAs site A and Site b, you can change some of the parts of the configuration due to security purposes.

That will makes this troubleshooting ticket  faster

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Weird One Way VPN tunnel issue

Julio,

1. Site B Branch is receiving the traffic from Site A HQ

2. Site B Branch decrypted the traffic and then sent to the Site B Branch inside interface to the host

3. The host from Site B Branch replied the packet never reaches to Site A HQ

In the other words.

1. (Site B Server PC) is receiving traffic (ping for example) from (Site A My PC IP)

2. (SIte B Server PC) decrypted the traffic (ping) and then sent it to the Site B Branch inside interface to the host

3. (SIte B Server PC) replied never reached to (Site A My PC IP)

Is that what you means? Can you explain more about it? I don't really understand.

Is that possible I can just PM the configuration files from two sites?

THANKS!

Weird One Way VPN tunnel issue

Hello IT,

Yes, that is what happening, we are not seeing the traffic getting into the inside interface of siteA.

That is why I would like to check both ASAs configuration.

Regards,

Julio

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Weird One Way VPN tunnel issue

Julio,

I am going to PM you the configuration for Site B now.. and Site A late today!!

Thanks again for all yoru help!

IT

New Member

Weird One Way VPN tunnel issue

Please Check PM!


Thanks!!!

Weird One Way VPN tunnel issue

Hello IT,

ok I will!

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
784
Views
0
Helpful
28
Replies