Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 8.4(2): VPN Filter problem with IPsec L2L

Hello!

We use vpn-filter on central ASA 5520 (8.4(2)) to control traffic from remote sites.

At remote sites we have 5505 and IPsec L2L to each of them.

L2L crypto-acls look like this:

access-list vpn-site1 extended permit ip 10.0.0.0 255.0.0.0 172.16.1.0 255.255.255.0

access-list vpn-site2 extended permit ip 10.0.0.0 255.0.0.0 192.168.1.0 255.255.255.0

...

When we implemented vpn-filter, all had been working fine for a week.

Then suddenly all remote sites lost its connectivity with central LAN segment, situated behind the inside 5520 interface.

At the same time on 5520:

  • crypro ipsec sa peer shows that IPsec is established and encaps/decaps counters are increasing
  • capture on inside interfaces shows traffic travelling from LAN to region and no traffic from region to LAN
  • sysopt connection permit-vpn feature is enabled, so we do not need to permit traffic from VPN on outside interface
  • clearing clear cry isa sa solve the problem for several minutes, but then connection to remote site is lost again
  • monitoring the rules in filter acl shows us

%ASA-6-106102: access-list regions-acl permitted icmp for user '<unknown>' inside/10.1.1.2(8) -> outside/172.16.1.10(0) hit-cnt 54 300-second interval

%ASA-6-106102: access-list regions-acl permitted icmp for user '<unknown>' outside/172.16.1.10(0) -> inside/10.1.1.2(0) hit-cnt 1 first hit

Config on central site 5520:

object-group network regions

network-object 172.16.0.0 255.255.0.0

network-object 192.168.0.0 255.255.0.0

!

object-group network center

network-object 10.0.0.0 255.0.0.0

!

access-list regions-acl extended permit ip object-group regions object-group center

!

group-policy region-filter internal

group-policy region-filter attributes

vpn-filter value regions-acl

!

tunnel-group <peer_ip> general-attributes

default-group-policy region-filter

!

What can cause such kind of problem?

Is there any BUGs with 8.4(2) using VPN filters?

We have the same sheme on 5520 with 8.2(4) and no problems with it, all works fine!

2 REPLIES
Cisco Employee

ASA 8.4(2): VPN Filter problem with IPsec L2L

This sounds like a bug, but I can't think of any match in 8.4.2.

Just to be sure could you try 8.4.4 ?

If that still fails would you be able to open a TAC case?

BTW with your current config the vpn-filter seems to be allowing all the VPN traffic, so you may just as well keep it disabled?

Herbert

New Member

ASA 8.4(2): VPN Filter problem with IPsec L2L

Hello, Herbert!

thank you for your answer

the problem was solved by specifying the vpn-tunnel-protocol under the group-policy attributes

group-policy vpn-filter attributes

vpn-filter value vpn-acl

vpn-tunnel-protocol ikev1 ikev2

1369
Views
0
Helpful
2
Replies