Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1179
Views
0
Helpful
1
Replies

ASA 5505 strange IPSec issue with one way traffic

regs20061
Level 1
Level 1

‎07-10-2014 09:14 PM - edited ‎02-21-2020 07:43 PM

I have a little issue I hope you can help me with.

I have site to site IPSec VPN connection up and running between a Cisco ASA 5510 and Mikrotik RB951 router. 

Cisco ASA 5510 have 1.1.1.1 ip on  PPPoE_Ertelecom interface and Mikrotik have 2.2.2.2 ip address on WAN interface.

Cisco have 192.168.151.0/24 network behind it, and Mikrotik have 10.1.1.0/24 network behind.

All working fine, The tunnel comes up OK, traffic is sending in both directions.

But periodically there come's bug:

1) Usually pings beetwen  192.168.151.0/24 and 10.1.1.0/24 are about 10-20 ms. When the bug happens pings are increasing to 100-200ms or 600-800 ms

2) HTTP, SSH, Shared folders, etc - didn't work (only ping works)

On Mikrotik I see 2 SPI:

from 1.1.1.1 to 2.2.2.2 - and it's 0 bytes count here (usually it's increasing)

and from 2.2.2.2 to 1.1.1.1 - it's increasing value (when i ping, or try to connect via ssh for example)

On Cisco ASA in SiteToSite section status i see:

Bytes TX = 0 and it's not increasing  (usually it's increasing number)

Bytes RX = increasing number

And when i trying to access some IP from 192.168.151.0/24 or from 10.1.1.0/24 via http or ssh, etc i see in ASA logs something like this: deny tcp (no connection) from flags ack

But at the same time pings is sending from both sides (they just become very high value)

Phase 1 and Phase 2 established fine.

And the most strange thing that issue comes periodically - for example it's didn't work all day yesterday, but today all working just fine for sometime ( I even didn't reboot or change configuration on devices).

I just want to know why it's happens:

1) Is it ISP issue?

2) Is it Cisco routing issue?

3) Is it ACL problem?

Mikrotik settings:

/ip ipsec peer
add address=1.1.1.1/32 auth-method=pre-shared-key dh-group=modp1024 \
    disabled=no dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=3des \
    exchange-mode=main generate-policy=no hash-algorithm=sha1 lifebytes=0 \
    lifetime=8h my-id-user-fqdn="" nat-traversal=no port=500 proposal-check=\
    obey secret=12345678 send-initial-contact=yes
/ip ipsec policy
add action=encrypt disabled=no dst-address=192.168.151.0/24 dst-port=any \
    ipsec-protocols=esp level=require priority=0 proposal=default protocol=\
    all sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 \
    src-address=10.1.1.0/24 src-port=any tunnel=yes

 

Cisco VPN config:

ASA Version 8.2(5)

access-list Inside_access_in extended permit ip 192.168.151.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list PPPoE_Ertelecom_5_cryptomap extended permit ip 192.168.151.0 255.255.255.0 10.1.1.0 255.255.255.0

tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
 pre-shared-key *****

crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map PPPoE_Ertelecom_dyn_map 65535 set transform-set ESP-3DES-SHA ESP-3DES-MD5 TRANS_ESP_3DES_SHA ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map PPPoE_Ertelecom_map0 5 match address PPPoE_Ertelecom_5_cryptomap
crypto map PPPoE_Ertelecom_map0 5 set pfs
crypto map PPPoE_Ertelecom_map0 5 set peer 2.2.2.2

crypto isakmp enable PPPoE_Ertelecom
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 60
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp nat-traversal 300

Sorry for my english

Thanks!

Labels:
0 Helpful
1 Reply 1

Jouni Forss
VIP Alumni
VIP Alumni

‎07-11-2014 01:07 AM

Hi,

 

Would probably need to see some logs of your connection attempts (Built/Teardown). Also would be good to see the whole log message that you mention.

The log message you mention is usually result of a situation where a connection that was formed through the ASA was already removed either by the ASA or even the client/server pair and one of the hosts tries to still send data with the same source/destination port.

Sometimes its the result of asymmetric routing where ASA only sees the other direction of the connection attempt for example and therefore blocks it.

In the above case its just seems to me that ASA does not have an existing TCP connection to which that incoming packet belongs to and therefore blocks it.

 

You seem to have the latest software version of the 8.2 series though if thats the full version number then you dont seem to have the later releases that fix existing bugs.

 

We used to have a VPN related bug on 2 different VPN devices when they were running 8.2(1). The problem was that the ASA stopped encrypting traffic. In other words you would stop seeing transmitted (Tx) traffic on the VPN Connection. This could usually be corrected with a reboot or changing the Active firewall in a Failover pair.

I am not sure if the software level you mention has the bug. Think we updated the other one to 8.2(5) after the problem and it has not appeared again.

 

When the problem situation is on you could try the "packet-tracer" command on the ASA to simulate traffic going to the VPN and see if the packet tracer even goes through (it does not generate actual traffic to the connection)

packet-tracer input <source interface> tcp <source ip> <source port> <destination ip> <destination port>

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents