Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

5505 DHCP L2L VPN to 5525 does not pass traffic

I have an issue with an L2L VPN that gets built, but does not pass traffic.

1. The initiating Site, 11 ASA 5505 (DHCP) creates a tunnel and encrypts packets
2. The responding Site, 1 ASA 5525 builds the tunnel and Decrypt packets.
3. The responding Site, 1 ASA 5525 does NOT encrypt packets to the Initiator.
4. The initiating Site, 11 ASA 5505 does NOT decrypt packets from the responding ASA 5525

(Site 1) is the HQ and responds to all VPN requests
(Site 1) has 2 Internet Providers, and the 5525 is connected to <Provider_2>

(Site 11) is behind a 4G MiFi provider
10.11.0.0 <-- 5505 --> 192.168.0.0 <-- MiFi--> WAN DHCP

=============================================================================
**** (Site 11) ****

<Initiating-5505># sho run
: Saved
:
ASA Version 8.2(5)
!
hostname <Initiating-5505>
domain-name <removed>
names
!
interface Ethernet0/0
description * Outside - Internet
switchport access vlan 2
!
interface Ethernet0/1
description * Inside network
switchport access vlan 3
!
interface Ethernet0/2
description * Inside network
switchport access vlan 3
!
interface Ethernet0/3
description * Inside network
switchport access vlan 3
!
interface Ethernet0/4
description * Inside network
switchport access vlan 3
!
interface Ethernet0/5
description * Inside network
switchport access vlan 3
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
shutdown
no nameif
no security-level
no ip address
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute / from <Provider_3>
!
interface Vlan3
nameif inside
security-level 100
ip address 10.11.19.1 255.255.255.0
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name <removed>
object-group network Internal_NET
network-object 10.0.0.0 255.0.0.0
object-group network Site_1_NET
network-object 10.1.0.0 255.255.0.0
object-group network Site_2_NET
network-object 10.2.0.0 255.255.0.0
object-group network Site_3_NET
network-object 10.3.0.0 255.255.0.0
object-group network Site_11_NET
network-object 10.11.19.0 255.255.255.0
object-group network Provider_1_NET
network-object <Provider_1>.0 255.255.255.0
access-list VPN_Traffic extended permit ip 10.11.0.0 255.255.0.0 10.1.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply outside
icmp permit any outside
icmp permit any echo outside
icmp permit any inside
icmp permit any echo inside
icmp permit any echo-reply inside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list VPN_Traffic
nat (inside) 1 0.0.0.0 0.0.0.0
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication secure-http-client
http server enable
http 10.11.19.0 255.255.255.0 inside
http <Provider_1>.0 255.255.255.0 outside
snmp-server location <removed>
snmp-server contact <removed>
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set <Site_1>_VPN esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPN_MAP 1 match address VPN_Traffic
crypto map VPN_MAP 1 set peer <Provider_2>.253
crypto map VPN_MAP 1 set transform-set <Site_1>_VPN
crypto map VPN_MAP interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet timeout 5
ssh 10.11.19.0 255.255.255.0 inside
ssh timeout 16
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
!
dhcpd address 10.11.19.11-10.11.19.42 inside
dhcpd dns <Pri_DNS> <Sec_DNS> interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server <removed> source outside
ntp server <removed> source outside
ntp server <removed> source outside
ntp server <removed> source outside
webvpn
tunnel-group <Provider_2>.253 type ipsec-l2l
tunnel-group <Provider_2>.253 ipsec-attributes
pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting
: end

=============================================================================
**** (Site 11) ****

<Responding-5525># sho run
: Saved
:
ASA Version 8.6(1)2
!
hostname <Responding-5525>
domain-name <removed>
names
!
interface GigabitEthernet0/0
speed 1000
duplex full
nameif inside
security-level 100
ip address 10.1.1.10 255.255.255.252
!
interface GigabitEthernet0/1
speed 1000
duplex full
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
nameif Outside
security-level 0
ip address <Provider_2>.253 255.255.255.0
!
interface Management0/0
shutdown
nameif management
security-level 100
ip address 10.1.100.246 255.255.255.0
management-only
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
domain-name <removed>
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network Internal_NET
network-object 10.0.0.0 255.0.0.0
object network Site_1_NET
subnet 10.1.0.0 255.255.0.0
object network Site_2_NET
subnet 10.2.0.0 255.255.0.0
object network Site_3_NET
subnet 10.3.0.0 255.255.0.0
object network Site_11_NET
subnet 10.11.0.0 255.255.0.0
object network Provider_2_NET
subnet <Provider_2>.0 255.255.255.0
access-list <Site_11>_VPN_Traffic extended permit ip 10.1.0.0 255.255.0.0 10.11.0.0 255.255.0.0
pager lines 24
logging asdm informational
mtu management 1500
mtu Outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply Outside
icmp permit any echo Outside
icmp permit any Outside
icmp permit any echo inside
icmp permit any echo-reply inside
icmp permit any inside
no asdm history enable
arp timeout 14400
nat (inside,Outside) source static Site_1_NET Site_1_NET destination static Site_11_NET Site_11_NET
!
nat (inside,Outside) after-auto source dynamic any interface
route Outside 0.0.0.0 0.0.0.0 <Provider_2>.254 1
route inside 10.1.0.0 255.255.0.0 10.1.1.9 1
route inside 10.2.0.0 255.255.0.0 10.1.1.2 2
route inside 10.3.0.0 255.255.0.0 10.1.1.6 2
route inside 172.22.0.0 255.255.252.0 10.1.1.9 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication secure-http-client
http server enable
http <removed> 255.255.255.255 Outside
http <removed> 255.255.255.255 Outside
http 10.1.20.0 255.255.255.0 inside
http redirect management 80
snmp-server location <Site_1> Rack 5
snmp-server contact <Me>
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set <Site_11>_VPN esp-aes-256 esp-sha-hmac
crypto dynamic-map <Site_11>_DYNMAP 10 set ikev1 transform-set <Site_11>_VPN
crypto map outside 100 ipsec-isakmp dynamic <Site_11>_DYNMAP
crypto map outside interface Outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev1 enable Outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
client-update enable
telnet timeout 5
ssh <removed> 255.255.255.255 Outside
ssh <removed> 255.255.255.255 Outside
ssh 10.1.20.0 255.255.255.0 inside
ssh timeout 16
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp authenticate
ntp server <removed> source Outside
ntp server <removed> source Outside
ntp server <removed> source Outside
ntp server <removed> source Outside
webvpn
tunnel-group DefaultL2LGroup ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
: end

=============================================================================

<Initiating-5505># sho cry isa sa

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: <Provider_2>.253
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
<Initiating-5505>#
<Initiating-5505># sho cry ips sa
interface: outside
Crypto map tag: VPN_MAP, seq num: 1, local addr: 192.168.0.2

access-list VPN_Traffic extended permit ip 10.11.0.0 255.255.0.0 10.1.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.11.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
current_peer: <Provider_2>.253

#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 192.168.0.2/4500, remote crypto endpt.: <Provider_2>.253/4500
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: EC2BAC9D
current inbound spi : 76EBBB1F

inbound esp sas:
spi: 0x76EBBB1F (1995160351)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 114688, crypto-map: VPN_MAP
sa timing: remaining key lifetime (kB/sec): (3915000/24221)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xEC2BAC9D (3962285213)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 114688, crypto-map: VPN_MAP
sa timing: remaining key lifetime (kB/sec): (3914999/24221)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

=============================================================================

<Responding-5525># sho cry isa sa

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: <Provider_3>.78
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs

<Responding-5525># sho cry ips sa
interface: Outside
Crypto map tag: <Site_11>_DYNMAP, seq num: 10, local addr: <Provider_2>.253

local ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.11.0.0/255.255.0.0/0/0)
current_peer: <Provider_3>.78

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: <Provider_2>.253/4500, remote crypto endpt.: <Provider_3>.78/4730
path mtu 1500, ipsec overhead 82, media mtu 1500
current outbound spi: 76EBBB1F
current inbound spi : EC2BAC9D

inbound esp sas:
spi: 0xEC2BAC9D (3962285213)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 290816, crypto-map: <Site_11>_DYNMAP
sa timing: remaining key lifetime (kB/sec): (4373999/24086)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000003FF
outbound esp sas:
spi: 0x76EBBB1F (1995160351)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, NAT-T-Encaps, }
slot: 0, conn_id: 290816, crypto-map: <Site_11>_DYNMAP
sa timing: remaining key lifetime (kB/sec): (4374000/24085)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

=============================================================================


Sent from Cisco Technical Support iPad App

3 REPLIES
Bronze

5505 DHCP L2L VPN to 5525 does not pass traffic

Hi,

Let's focus on the responding site.

- Verify that the return traffic is routed back to the ASA when going from 10.1.0.0 to  10.11.0.0 . You may set captures at the inside to trace the return packets:

cap in interface inside match ip  10.1.0.0 255.255.0.0  10.11.0.0 255.255.0.0

then: show cap in

- get the output of this packet-tracer from the responding side:

packet-tracer  input inside icmp 10.1.1.1  8 0  10.11.0.0 detail.

Hope this helps.

----
Mashal Shboul

------------------ Mashal Shboul
New Member

5505 DHCP L2L VPN to 5525 does not pass traffic

Thanks for the reply.  Did not get to look at it until today.

   On responding VPN site - ASA 5525;

ASA-5525# cap in interface inside match ip  10.1.0.0 255.255.0.0  10.11.0.0 25$

ASA-5525# sho cap in

0 packet captured

0 packet shown

ASA-5525# ping 10.11.19.11

Sending 5, 100-byte ICMP Echos to 10.11.19.11, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

ASA-5525# sho route

C    50.204.91.0 255.255.255.0 is directly connected, Outside

S    172.22.0.0 255.255.252.0 [1/0] via 10.1.1.9, inside

C    10.1.1.8 255.255.255.252 is directly connected, inside

S    10.2.0.0 255.255.0.0 [2/0] via 10.1.1.2, inside

S    10.3.0.0 255.255.0.0 [2/0] via 10.1.1.6, inside

S    10.1.0.0 255.255.0.0 [1/0] via 10.1.1.9, inside

S*   0.0.0.0 0.0.0.0 [1/0] via 50.204.91.254, Outside

ASA-5525# sho cap in

0 packet captured

0 packet shown

ASA-5525# packet-tracer  input inside icmp 10.1.1.1  8 0  10.11.0.0 detail

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff386d9c60, priority=13, domain=capture, deny=false

    hits=385, user_data=0x7fff37a89420, cs_id=0x0, l3_type=0x0

    src mac=0000.0000.0000, mask=0000.0000.0000

    dst mac=0000.0000.0000, mask=0000.0000.0000

    input_ifc=inside, output_ifc=any

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff3750e9f0, priority=1, domain=permit, deny=false

    hits=496491, user_data=0x0, cs_id=0x0, l3_type=0x8

    src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

    input_ifc=inside, output_ifc=any

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         Outside

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff37be6b10, priority=0, domain=inspect-ip-options, deny=true

    hits=30480, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

    src ip/id=0.0.0.0, mask=0.0.0.0, port=0

    dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

    input_ifc=inside, output_ifc=any

Phase: 5     

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff37495120, priority=70, domain=inspect-icmp, deny=false

    hits=43, user_data=0x7fff3867f6d0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

    src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

    dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

    input_ifc=inside, output_ifc=any

Phase: 6

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0x7fff3788fd70, priority=66, domain=inspect-icmp-error, deny=false

    hits=113, user_data=0x7fff37dc63a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

    src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0

    dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0

        input_ifc=inside, output_ifc=any

Phase: 7

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,Outside) source static Chicago_NET Chicago_NET destination static Milan_MO_NET Milan_MO_NET

Additional Information:

Static translate 10.1.1.1/0 to 10.1.1.1/0

Forward Flow based lookup yields rule:

in  id=0x7fff37b65ef0, priority=6, domain=nat, deny=false

    hits=1, user_data=0x7fff377a6340, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

    src ip/id=10.1.0.0, mask=255.255.0.0, port=0

    dst ip/id=10.11.0.0, mask=255.255.0.0, port=0, dscp=0x0

    input_ifc=inside, output_ifc=Outside

Phase: 8

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x7fff377afe20, priority=70, domain=encrypt, deny=false

    hits=21790, user_data=0x0, cs_id=0x7fff37985020, reverse, flags=0x0, protocol=0

    src ip/id=10.1.0.0, mask=255.255.0.0, port=0

    dst ip/id=10.11.0.0, mask=255.255.0.0, port=0, dscp=0x0

    input_ifc=any, output_ifc=Outside

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: Outside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Bronze

5505 DHCP L2L VPN to 5525 does not pass traffic

Hi Bruce,

We need  a test for traffic through the tunnel, so the ping should not be sourced from the ASA itself, but it should be from

10.1.1.x  to  10.11.0.x . Then please take the same captures while doing the right test.

Could you please also take the same packet-tracer twice ?

Regards.

--
Mashal Shboul

------------------ Mashal Shboul
438
Views
0
Helpful
3
Replies
CreatePlease to create content