opened a TAC case, we'll see

corebrands · ‎03-17-2014

I have many VPN tunnels on an ASA. Most of them are between /19 and /24. There are a couple low priority VPNs that handle /16 subnets that include all the /19 and /24s so that sites without VPNs but on the MPLS can be handled by one site. Not a problem because the smaller subnets crypto maps come before the summarized ones. I am trying to set up routers for home users with /29 subnets so I have to use "dynamic" crypto maps. That's the only difference. The tunnel establishes fine and the addresses are seen but the ASA isn't marking the traffic to go over that tunnel(no encrypted packets). The dynamic map is between the ASA and a Cisco 881-W router. I even tried removing the /16 crypto map just to see if it works and that didn't come up either:

IPSec peering shows it established fine but not encrpyting:

ASA# sh crypto ipsec sa peer X.X.X.X

peer address: X.X.X.X

Crypto map tag: home_vpn_map, seq num: 301, local addr: X.X.X.X

access-list outside_301_cryptomap extended permit ip 10.156.114.160 255.255.255.240 10.5.32.0 255.255.255.248

local ident (addr/mask/prot/port): (10.156.114.160/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (10.5.32.0/255.255.255.248/0/0)

current_peer: 198.46.10.200

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 7463, #pkts decrypt: 7463, #pkts verify: 7463

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

Capture shows the ping from workstation on the other end of the tunnel and reply hitting the ASA:

ASA# sh cap caphome

200 packets captured

1: 08:42:55.085231 10.5.32.2 > 10.156.114.163: icmp: echo request

2: 08:42:55.085612 10.156.114.163 > 10.5.32.2: icmp: echo reply

3: 08:43:00.085170 10.5.32.2 > 10.156.114.163: icmp: echo request

4: 08:43:00.085490 10.156.114.163 > 10.5.32.2: icmp: echo reply

5: 08:43:05.084163 10.5.32.2 > 10.156.114.163: icmp: echo request

6: 08:43:05.084498 10.156.114.163 > 10.5.32.2: icmp: echo reply

7: 08:43:10.084391 10.5.32.2 > 10.156.114.163: icmp: echo request

8: 08:43:10.084712 10.156.114.163 > 10.5.32.2: icmp: echo reply

The replies don't get put on the tunnel and returned though :( There are limited routes on the ASA and 0.0.0.0/0 routes through the internet interface.

Difference in configs:

static map:

crypto map outside_map 1 match address outside_1_cryptomap

crypto map outside_map 1 set peer X.X.X.X

crypto map outside_map 1 set ikev1 transform-set ESP-3DES-MD5

access-list outside_1_cryptomap extended permit ip object net_int_743 object net_remote_1

object network net_remote_1

subnet 10.5.24.0 255.255.255.0

object network net_int_743

subnet 10.156.114.160 255.255.255.240

dynamic map:

crypto map outside_map 301 ipsec-isakmp dynamic home_vpn_map

crypto dynamic-map home_vpn_map 301 match address outside_301_cryptomap

crypto dynamic-map home_vpn_map 301 set ikev1 transform-set ESP-3DES-MD5

access-list outside_301_cryptomap extended permit ip object net_int_743 object Home_VPN01

object network Home_VPN01

subnet 10.5.32.0 255.255.255.248

LA-Engineer · ‎03-17-2014

So you're saying that despite having the IPSec SA for:

local ident (addr/mask/prot/port): (10.156.114.160/255.255.255.240/0/0)

remote ident (addr/mask/prot/port): (10.5.32.0/255.255.255.248/0/0)

Traffic from 10.156.114.160/28 is not being sent through the tunnel to 10.5.32.0/29?

Post the routing table. Is the 10.5.32.0/29 prefix in there?

Maybe you need RRI?

crypto dynamic-map home_vpn_map 301 set reverse

corebrands · ‎03-17-2014

Correct.

No theprefix is not in the routing table:

Gateway of last resort is 70.X.X.X to network 0.0.0.0

C 70.X.X.X 255.255.255.224 is directly connected, mrs_internet
C 10.156.151.64 255.255.255.248 is directly connected, cloud_wan
S 10.156.114.160 255.255.255.240 [1/0] via 10.156.151.65, cloud_wan
C 10.156.114.128 255.255.255.224 is directly connected, management
S* 0.0.0.0 0.0.0.0 [1/0] via 70.X.X.X, mrs_internet

I tried RRI, did not work

LA-Engineer · ‎03-17-2014

Try the RRI again. Remove the crypto map from the interface and apply it again.

Something is not allow the ASA to create the static route.

corebrands · ‎03-17-2014

I cannot remove the crypto map from the interface because I have too many production VPNs on the appliance. I reapplied RRI and it is getting in the route table, no change in traffic though:

C 70.X.X.X 255.255.255.224 is directly connected, mrs_internet
S 10.5.32.0 255.255.255.248 [1/0] via 70.X.X.X, mrs_internet
C 10.156.151.64 255.255.255.248 is directly connected, cloud_wan
S 10.156.114.160 255.255.255.240 [1/0] via 10.156.151.65, cloud_wan
C 10.156.114.128 255.255.255.224 is directly connected, management
S* 0.0.0.0 0.0.0.0 [1/0] via 70.X.X.X, mrs_internet

corebrands · ‎03-17-2014

opened a TAC case, we'll see if I can get anywhere with them.

Dynamic Map not encrypting packets