01-22-2014 06:30 PM
Hi,
I am trying to setup a Site to Site tunnel in our test lab.
192.168.30.0/24 ---> ASA5505 <-------------------------tunnel------------------->ASA5525<-------------10.0.0.0/8
I have the tunnel working and initiates from either direction with an issue. The problem I have is that traffic will only establish and flow in the direction that the tunnel was intitated.
e.g
ASA5525 Config.
ASA Version 8.6(1)
!
hostname vpn-asa5525
domain-name mgmt.CENTRAL
enable password ######### encrypted
passwd ######### encrypted
names
!
interface GigabitEthernet0/0
nameif External
security-level 0
ip address 172.16.2.10 255.255.255.0
!
interface GigabitEthernet0/1
description Internal Interface
nameif Internal
security-level 1
ip address 10.0.10.1 255.255.254.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 100
ip address X.Y.165.12 255.255.255.0 standby X.Y.165.24
management-only
!
boot system disk0:/asa861-smp-k8.bin
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name mgmt.CENTRAL
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network ALL_CENTRAL
subnet 10.0.0.0 255.0.0.0
object network BO-1
subnet 192.168.10.0 255.255.255.0
object network BO-3
subnet 192.168.30.0 255.255.255.0
object network BO-2
subnet 192.168.20.0 255.255.255.0
access-list External_cryptomap_1 extended permit ip object ALL_CENTRAL object BO-3
access-list global_access extended permit icmp any any
access-list global_access extended deny ip any any
access-list External_routemap_1 extended permit ip object ALL_CENTRAL object BO-3
no pager
logging enable
logging timestamp
logging standby
logging emblem
logging console informational
logging monitor debugging
logging trap informational
logging asdm informational
mtu External 1500
mtu Internal 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface Interlink GigabitEthernet0/7
failover key *****
failover link Interlink GigabitEthernet0/7
failover interface ip Interlink 172.16.16.1 255.255.255.0 standby 172.16.16.2
icmp unreachable rate-limit 1 burst-size 1
icmp permit any External
icmp permit X.Y.188.0 255.255.255.0 management
icmp permit X.Y.190.0 255.255.255.0 management
asdm image disk0:/asdm-661.bin
asdm history enable
arp timeout 14400
!
route-map TEST_RMAP permit 1
match ip address External_routemap_1
!
route External 0.0.0.0 0.0.0.0 172.16.2.254 1
route Internal 10.0.0.0 255.0.0.0 10.0.11.254 1
route management X.Y.0.0 255.255.0.0 X.Y.165.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http X.Y.0.0 255.255.0.0 management
sysopt connection tcpmss 0
crypto ipsec ikev1 transform-set CENTRAL-crypto-map esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto map outside_map 1 match address External_cryptomap_1
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 172.16.1.10
crypto map outside_map 1 set ikev1 transform-set CENTRAL-crypto-map
crypto map outside_map 1 set ikev2 ipsec-proposal secure
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 1 set reverse-route
crypto map outside_map interface External
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable External
crypto ikev1 enable External
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh X.Y.0.0 255.255.0.0 management
ssh timeout 5
console timeout 0
no threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl encryption 3des-sha1
webvpn
group-policy GroupPolicy_172.16.1.10 internal
group-policy GroupPolicy_172.16.1.10 attributes
vpn-tunnel-protocol ikev1 ikev2
username sysop password ####### encrypted privilege 15
tunnel-group 172.16.1.10 type ipsec-l2l
tunnel-group 172.16.1.10 general-attributes
default-group-policy GroupPolicy_172.16.1.10
tunnel-group 172.16.1.10 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
no prompt
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:1f647260b1a9e26953c8fdd015ee0c4f
: end
ASA5505 Config
ASA Version 8.6(1)
!
hostname vpn1-5505
domain-name Branch.Office2.com
enable password ######## encrypted
passwd ###### encrypted
names
!
interface Ethernet0/0
switchport access vlan 4
!
interface Ethernet0/1
switchport access vlan 15
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport access vlan 205
!
interface Vlan1
no nameif
no security-level
no ip address
!
interface Vlan4
nameif inside
security-level 2
ip address 192.168.30.1 255.255.255.0
!
interface Vlan15
nameif outside
security-level 1
ip address 172.16.1.10 255.255.255.0
!
interface Vlan205
no forward interface Vlan15
nameif management
security-level 0
ip address X.Y.165.14 255.255.255.0
management-only
!
ftp mode passive
clock timezone EST 10
clock summer-time EDT recurring last Sun Oct 2:00 last Sun Mar 3:00
dns server-group DefaultDNS
domain-name Branch.Office2.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network LOCAL_NET
subnet 192.168.30.0 255.255.255.0
description BO Internal Network
object network ALL_CENTRAL
subnet 10.0.0.0 255.0.0.0
description All Internal CENTRAL Network
access-list 100 extended permit ip object LOCAL_NET object ALL_CENTRAL log debugging
access-list External_routemap_1 extended permit ip object LOCAL_NET object ALL_CENTRAL log debugging
pager lines 24
logging enable
logging timestamp
logging asdm-buffer-size 512
logging console debugging
logging monitor debugging
logging trap informational
logging asdm debugging
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
!
route-map TEST_RMAP permit 1
match ip address External_routemap_1
!
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
route management X.Y.0.0 255.255.0.0 X.Y.165.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http X.Y.0.0 255.255.0.0 management
http redirect management 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set CENTRAL-crypto-map esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption aes 3des des
protocol esp integrity sha-1
crypto map outside_map 1 match address 100
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 172.16.2.10
crypto map outside_map 1 set ikev1 transform-set CENTRAL-crypto-map
crypto map outside_map 1 set ikev2 ipsec-proposal secure
crypto map outside_map 1 set nat-t-disable
crypto map outside_map 1 set reverse-route
crypto map outside_map interface outside
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh X.Y.0.0 255.255.0.0 management
ssh timeout 5
console timeout 0
no threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption 3des-sha1
webvpn
group-policy GroupPolicy_172.16.2.10 internal
group-policy GroupPolicy_172.16.2.10 attributes
vpn-tunnel-protocol ikev1 ikev2
username sysop password ########## encrypted privilege 15
tunnel-group 172.16.2.10 type ipsec-l2l
tunnel-group 172.16.2.10 general-attributes
default-group-policy GroupPolicy_172.16.2.10
tunnel-group 172.16.2.10 ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:a585784df82edf735dc3245bf29444a6
: end
Any Suggestions?
01-22-2014 11:40 PM
Hi,
Could it be that you didn´t configure the option to allo the VPN traffic passthroug the Firewall without check the firewall rules?
sysopt connection permit-vpn
Or in the other hand, could you send us the error logs that you could see in both sides?
01-23-2014 01:07 PM
I have that sysopt setting in there now and it made no difference.
There is no error being reported by the ASA's. the tunnels come up, traffic connects from the initiating site OK but not the other end.
I checked the access-lists to see if any of them are being hit and the traffic from the non initiating site does not trigger any acl's
I can get some debug logs if you know which ones you think would help.
Ian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide