cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
983
Views
0
Helpful
4
Replies

IKEV2 VPN to Azure - ASP Table Drops

garybrophy
Level 1
Level 1

Hi All,

Hoping someone might have an answer for me as this one has thrown me off.

 

I have a VPN to Azure - 2 Networks on either side. Phase 1 and Phase 2 establish but only one tunnel is passing traffic.

 

ASA Config

crypto map MYMAP 810 match address AZURE_VPN
crypto map MYMAP 810 set pfs group24
crypto map MYMAP 810 set peer 1.1.1.1
crypto map MYMAP 810 set ikev2 ipsec-proposal AZURE
crypto map MYMAP 810 set security-association lifetime seconds 3600
crypto map MYMAP 810 set security-association lifetime kilobytes 4608000

 

access-list AZURE_VPN line 1 extended permit ip object-group AZURE_NETS_ACCESS_REV object-group AZURE_NETS
access-list AZURE_VPN line 1 extended permit ip 10.95.0.0 255.255.255.0 10.97.0.0 255.255.255.0
access-list AZURE_VPN line 1 extended permit ip 10.95.0.0 255.255.255.0 10.98.0.0 255.255.255.0
access-list AZURE_VPN line 1 extended permit ip 10.94.0.0 255.255.0.0 10.97.0.0 255.255.255.0
access-list AZURE_VPN line 1 extended permit ip 10.94.0.0 255.255.0.0 10.98.0.0 255.255.255.0

 

nat (REMOTE,outside) source static AZURE_NETS_ACCESS_REV AZURE_NETS_ACCESS_REV destination static AZURE_NETS AZURE_NETS no-proxy-arp route-lookup

 

Routes are all correct etc and when running a packet tracer the networks are hitting the same routes / rules and hitting the VPN but only 10.94.0.0/16 and 10.98.0.0/24 is passing traffic. The others are getting "Drop-reason: (acl-drop) Flow is denied by configured rule" but I have no idea why.

 

when checking the ASP table I can see the drops but - its saying ACL Drop but there is no difference between the 10.97.0.0/24 and 10.98.0.0/24 networks rule wise

 

259: 09:53:07.166327       10.97.0.10 > 10.94.0.4: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule

 

From the IPSEC tunnel I can see the decaps constantly increasing but the ASA is dropping this traffic for some reason

 

Show Isakmp SA

37524769 2.2.2.2/500 1.1.1.1/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA384, DH Grp:24, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/7461 sec
Child sa: local selector 10.94.0.0/0 - 10.94.255.255/65535
remote selector 10.98.0.0/0 - 10.98.0.255/65535
ESP spi in/out: 0x301c6821/0x66ad55bc
Child sa: local selector 10.94.0.0/0 - 10.94.255.255/65535
remote selector 10.97.0.0/0 - 10.97.0.255/65535
ESP spi in/out: 0xe738b954/0x6a4ef8fe
Child sa: local selector 10.95.0.0/0 - 10.95.0.255/65535
remote selector 10.98.0.0/0 - 10.98.0.255/65535
ESP spi in/out: 0x95c7a7b5/0x6611509c
Child sa: local selector 10.95.0.0/0 - 10.95.0.255/65535
remote selector 10.97.0.0/0 - 10.97.0.255/65535
ESP spi in/out: 0x25a7bc51/0x466ea2a8

 

Show IPSEC SA

 

access-list AZURE_VPN extended permit ip 10.94.0.0 255.255.0.0 10.98.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.94.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.98.0.0/255.255.255.0/0/0)
current_peer: 1.1.1.1

#pkts encaps: 72338, #pkts encrypt: 72338, #pkts digest: 72338
#pkts decaps: 27191, #pkts decrypt: 27191, #pkts verify: 27191

 

access-list AZURE_VPN extended permit ip 10.94.0.0 255.255.0.0 10.97.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.94.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.97.0.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 17541, #pkts decrypt: 17541, #pkts verify: 17541

 

access-list AZURE_VPN extended permit ip 10.95.0.0 255.255.255.0 10.97.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.95.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.97.0.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 5488, #pkts decrypt: 5488, #pkts verify: 5488

 

access-list AZURE_VPN extended permit ip 10.95.0.0 255.255.255.0 10.98.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.95.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.98.0.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 9005, #pkts decrypt: 9005, #pkts verify: 9005

 

Anyone have any ideas for me?

 

Much appreciated

Gary

4 Replies 4

Hi,

 

try ping while terminal monitor is enabled and see which rule is matched. ASA logs denied packets by ACL. Just make sure the monitor logging as information.

Thanks Mohammed,

 

I am remotely accessing the firewall and its a production firewall so a lot of stuff passing through so would rather not turn on termial logging.

 

I would have thought ASDM would would show me the drops? But nothing showing in there for the traffic.

 

I have captures set up for the traffic also but nothing in them either but I am seeing the drops in the ASP table. If memory servers me correct, if the ASP table shows the drops the traffic wont appear in the ASDM logs or captures - but not 100% sure on that

 

capture azure1 type raw-data interface REMOTE [Capturing - 0 bytes]
match icmp host 10.98.0.20 host 10.95.0.5
capture azure2 type raw-data interface REMOTE [Capturing - 0 bytes]
match icmp host 10.97.0.10 host 10.94.0.4
capture azure3 type raw-data interface REMOTE [Capturing - 0 bytes]
match icmp host 10.97.0.10 host 10.95.0.5

 

My global policy is not inspecting icmp traffic so not sure what is happening here.

 

Regards

Gary

Hi Gary,

Term monit is very safe.It won't cause issues as long as debugs are off.

ASDM will show you the logging on the home page. You can still use it while
ping is on to see which ACL drops it.


Thanks Mohammad,

 

Term monitor didnt show me anything.

If you have any other suggestions let me know

 

I am on a project for the next week so will have to revist this one. If i figure it out in the meantime I'll post what it was

 

thanks 

Gary

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: