Solved: ASA L2L not sending encryted traffic

shane.barry · ‎09-16-2014

I currently have an issue passing traffic from an ASA 5520 to a 877W. The traffic is being encrypted from the router to the ASA (as shown below) however the ASA is not sending any encrypted traffic. I have tried upgrading from 8.4(7) to 9.1(5), wiping the config and starting fresh, configuring the VPN's via CLI and using the ASDM wizard. I've also tried a 1841 and experience the same issue.

Any ideas before I log a TAC case? Pulling my hair out with this one!

877W Config:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key psk address ASA-EXTERNAL

crypto ipsec transform-set TS esp-3des esp-sha-hmac

crypto map CMAP 10 ipsec-isakmp
set peer ASA-EXTERNAL
set security-association lifetime seconds 28800
set transform-set TS
match address VPN-TRAFFIC

interface Dialer0
crypto map CMAP

ip route 0.0.0.0 0.0.0.0 Dialer0

ip nat inside source list 100 interface Dialer0 overload

ip access-list extended VPN-TRAFFIC
permit ip 192.168.20.0 0.0.0.255 172.16.250.0 0.0.0.255

access-list 100 remark Define NAT
access-list 100 deny ip 192.168.20.0 0.0.0.255 172.16.250.0 0.0.0.255
access-list 100 remark
access-list 100 deny ip 192.168.20.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.20.0 0.0.0.255 any

ASA:

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address ASA-EXTERNAL-IP
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.250.247 255.255.255.0
!
same-security-traffic permit inter-interface
object network VPNLocal
subnet 172.16.250.0 255.255.255.0
object network VPNRemote
subnet 192.168.20.0 255.255.255.0

access-list outside_cryptomap extended permit ip 172.16.250.0 255.255.255.0 object VPNRemote
access-list outside_access_in extended permit ip object VPNRemote 172.16.250.0 255.255.255.0 log disable
access-list inside_access_in extended permit ip 172.16.250.0 255.255.255.0 object VPNRemote

icmp permit any outside
icmp permit any inside

nat (inside,outside) source static VPNLocal VPNLocal destination static VPNRemote VPNRemote no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside

route outside 0.0.0.0 0.0.0.0 ISP-GATEWAY-IP 1
route inside 10.0.0.0 255.0.0.0 CORE-ROUTER 1

sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 877W-IP
crypto map outside_map 1 set ikev1 transform-set ESP-3DES-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto ikev1 enable outside

crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

threat-detection statistics access-list
no threat-detection statistics tcp-intercept

group-policy GroupPolicy_877W-IP internal
group-policy GroupPolicy_877W-IP attributes
vpn-tunnel-protocol ikev1

tunnel-group 877W-IP type ipsec-l2l
tunnel-group 877W-IP general-attributes
default-group-policy GroupPolicy_81.133.227.150
tunnel-group 877W-IP ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
class global-class
inspect icmp
inspect icmp error
!
service-policy global-policy global
prompt hostname context

877W sh crypto ipsec sa

interface: Dialer0
Crypto map tag: CMAP, local addr 877W-IP

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.250.0/255.255.255.0/0/0)
current_peer ASA-EXTERNAL port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1771, #pkts encrypt: 1771, #pkts digest: 1771
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 17, #recv errors 0

local crypto endpt.: 877W-IP, remote crypto endpt.: ASA-EXTERNAL
path mtu 1500, ip mtu 1500, ip mtu idb Dialer0
current outbound spi: 0xD82FD3CE(3627013070)

inbound esp sas:
spi: 0x31F9F14C(838463820)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 29, flow_id: Motorola SEC 1.0:29, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4544227/24786)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xD82FD3CE(3627013070)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 30, flow_id: Motorola SEC 1.0:30, crypto map: CMAP
sa timing: remaining key lifetime (k/sec): (4544168/24786)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access2
Crypto map tag: CMAP, local addr 0.0.0.0

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.250.0/255.255.255.0/0/0)
current_peer ASA-EXTERNAL port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 0.0.0.0, remote crypto endpt.: ASA-EXTERNAL
path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
current outbound spi: 0x0(0)

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

ASA sh crypto ipsec sa

peer address: 877W-IP
Crypto map tag: outside_map, seq num: 1, local addr: ASA-EXERNAL

access-list outside_cryptomap extended permit ip 172.16.250.0 255.255.255.0 192.168.20.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.250.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.20.0/255.255.255.0/0/0)
current_peer: 877W-IP

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 539, #pkts decrypt: 539, #pkts verify: 539
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: ASA-EXERNAL/0, remote crypto endpt.: 877W-IP/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 31F9F14C
current inbound spi : D82FD3CE

inbound esp sas:
spi: 0xD82FD3CE (3627013070)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 81920, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4373968/24993)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x31F9F14C (838463820)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 81920, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4374000/24993)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Marius Gunnerud · ‎01-26-2015

Glad you got it sorted :-)

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎09-17-2014

If you do a packet capture on the ASA for the VPN traffic between the inside and outside interface and then send traffic from the 877W side do you see traffic leaving the inside interface and return traffic entering the inside interface? (you wont see anything on the outside interface as it is encrypted).

If you do not see the return traffic, then I would assume you have a routing issue behind the ASA and that return traffic is being routed in a wrong direction.

refer to this document if you need help setting up a packet capture:

https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

shane.barry · ‎09-17-2014

Hi Marius,

I couldn't use the 877W but tested with my 1841(it's identical to the 877W).

sh route
Gateway of last resort is ISP-GATEWAY to network 0.0.0.0

C 172.16.250.0 255.255.255.0 is directly connected, inside
C EXTERNAL-SUBNET 255.255.255.240 is directly connected, outside
S 192.168.20.0 255.255.255.0 [1/0] via ISP-GATEWAY, outside
S 10.0.0.0 255.0.0.0 [1/0] via CORE, inside
S 192.168.3.0 255.255.255.0 [1/0] via ISP-GATEWAY, outside
S* 0.0.0.0 0.0.0.0 [1/0] via ISP-GATEWAY, outside

Marius Gunnerud · ‎09-17-2014

Is 192.168.3.0/24 and 10.2.1.1 defined in the crypto ACL? and also exempt from NAT?

Because from your the configuration you posted it is 192.168.20.0/24 and 172.16.250.0/24 that is going over that tunnel.

If you could post a full (sanitized) running config of your ASA and the 1841 that could help in pinpointing where the issue could be. Also If you could posts a network diagram of how the 877W, 1841, and ASA are located in relation to eachother and to the 10.0.0.0 network.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

shane.barry · ‎09-17-2014

Sorry I think I confused matters running that test from the 1841 as I stripped out that part of the config I posted above.
I have rerun the test on the 877W as below.

The 172.16.250.0 network is directly connected (via a managed switch). I can ping everything I need to from the ASA.

Again from the 877W:

#pkts encaps: 13, #pkts encrypt: 13, #pkts digest: 13
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

ASA:

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13

Marius Gunnerud · ‎09-17-2014

Is the 172.16.250.0/24 network directly connected to the ASA or is it routed within your network?

Also, if 172.16.250.211 has a firewall installed on it such as windows firewall, or any other software firewall, make sure you disable it when testing as it can block ICMP and provide a false result.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

shane.barry · ‎09-17-2014

The network is directly connected, all there is between the server and the ASA is a switch. The firewall is off and I can ping the device from other sites etc.

Marius Gunnerud · ‎09-17-2014

Do you have an access list configured on the inside interface?

Would you be able to post a full (sanitized) running config of the ASA?

Are there any statically configured routes on the server that could be sending traffic in the wrong direction?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

shane.barry · ‎09-18-2014

I currently have an access list configured however before I did this it still didn't work.

There are no routes set on the server, the default gateway is the core layer 3 switch on site.

Here is the full config:

ASA Version 9.1(5)
!
hostname TestASA
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address EXTERNAL-IP 255.255.255.240
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.250.247 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
same-security-traffic permit inter-interface
object network obj-172.16.250.0
subnet 172.16.250.0 255.255.255.0
object network Remote_VPN
subnet 192.168.20.0 255.255.255.0
object network Home_VPN
subnet 192.168.3.0 255.255.255.0
object network obj-10.0.0.0-8
subnet 10.0.0.0 255.0.0.0
object network obj-172.0.0.0-8
subnet 172.0.0.0 255.0.0.0
object-group network DM_INLINE_NETWORK_1
network-object object obj-10.0.0.0-8
network-object object obj-172.0.0.0-8
access-list outside_cryptomap extended permit ip object obj-172.16.250.0 object Remote_VPN
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_1 object Home_VPN
access-list outside_access_in extended permit ip object Remote_VPN object obj-172.16.250.0
access-list inside_access_in extended permit ip object obj-172.16.250.0 object Remote_VPN
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-722.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static Home_VPN Home_VPN no-proxy-arp route-lookup
nat (inside,outside) source static obj-172.16.250.0 obj-172.16.250.0 destination static Remote_VPN Remote_VPN no-proxy-arp route-lookup
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 ISP-GATEWAY 1
route inside 10.0.0.0 255.0.0.0 172.16.250.250 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication telnet console LOCAL
aaa authentication http console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection preserve-vpn-flows
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer Remote_VPN_EXTERNAL
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set reverse-route
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer Home_VPN_EXTERNAL
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set reverse-route
crypto map outside_map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.0.0.0 inside
telnet timeout 30
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 178.18.118.13 source outside
group-policy GroupPolicy_Home_VPN_EXTERNAL internal
group-policy GroupPolicy_Home_VPN_EXTERNAL attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy_Remote_VPN_EXTERNAL internal
group-policy GroupPolicy_Remote_VPN_EXTERNAL attributes
vpn-tunnel-protocol ikev1
username shaneb password 7p1BKZwVg2vqgROA encrypted privilege 15
tunnel-group Remote_VPN_EXTERNAL type ipsec-l2l
tunnel-group Remote_VPN_EXTERNAL general-attributes
default-group-policy GroupPolicy_Remote_VPN_EXTERNAL
tunnel-group Remote_VPN_EXTERNAL ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group Home_VPN_EXTERNAL type ipsec-l2l
tunnel-group Home_VPN_EXTERNAL general-attributes
default-group-policy GroupPolicy_Home_VPN_EXTERNAL
tunnel-group Home_VPN_EXTERNAL ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
class global-class
inspect icmp
inspect icmp error
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:dca165a7b4aee9e9dc0afe22f91bc9ce
: end

Marius Gunnerud · ‎09-18-2014

first I suggest changing the ACL to:

access-list inside_access_in extended permit ip object obj-172.16.250.0 any

The following statement is not needed since VPN is not checked against an interface ACL by default.

access-list outside_access_in extended permit ip object Remote_VPN object obj-172.16.250.0

Does the home_vpn connection work? If so, and it is not a very important connection that NEEDS to be up, could you issue the clear crypto isakmp and then try to connect over the remote_vpn VPN. I have seen, though not often, that when I have added a new s2s VPN I need to issue the clear crypto command and have all the other connections rebuilt as well. I have not really understood why this happens, but luckily it doesn't happen all that often.

I don't see anything that really stands out as wrong in your configuration. I will have a look over it again just to be sure.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎09-18-2014

By the way, have you turned off the windows firewall / software firewall installed on the machine you are trying to ping?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

shane.barry · ‎09-19-2014

I created that as a test when removing the settings "bypass ACL for VPN connections", just haven't removed it yet. I have run the clear crypto command several times when testing and rebooted the ASA to see if it was related to that ASA bug. The home vpn doesn't work either.

The firewall is disabled on the server

shane.barry · ‎01-26-2015

Sorry forgot to update this, the issue turned out to be some odd routing. Thanks for your help Marius

Marius Gunnerud · ‎01-26-2015

Glad you got it sorted :-)

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts