09-21-2017 03:34 AM - edited 03-12-2019 04:33 AM
Hi All,
Hoping someone might have an answer for me as this one has thrown me off.
I have a VPN to Azure - 2 Networks on either side. Phase 1 and Phase 2 establish but only one tunnel is passing traffic.
ASA Config
crypto map MYMAP 810 match address AZURE_VPN
crypto map MYMAP 810 set pfs group24
crypto map MYMAP 810 set peer 1.1.1.1
crypto map MYMAP 810 set ikev2 ipsec-proposal AZURE
crypto map MYMAP 810 set security-association lifetime seconds 3600
crypto map MYMAP 810 set security-association lifetime kilobytes 4608000
access-list AZURE_VPN line 1 extended permit ip object-group AZURE_NETS_ACCESS_REV object-group AZURE_NETS
access-list AZURE_VPN line 1 extended permit ip 10.95.0.0 255.255.255.0 10.97.0.0 255.255.255.0
access-list AZURE_VPN line 1 extended permit ip 10.95.0.0 255.255.255.0 10.98.0.0 255.255.255.0
access-list AZURE_VPN line 1 extended permit ip 10.94.0.0 255.255.0.0 10.97.0.0 255.255.255.0
access-list AZURE_VPN line 1 extended permit ip 10.94.0.0 255.255.0.0 10.98.0.0 255.255.255.0
nat (REMOTE,outside) source static AZURE_NETS_ACCESS_REV AZURE_NETS_ACCESS_REV destination static AZURE_NETS AZURE_NETS no-proxy-arp route-lookup
Routes are all correct etc and when running a packet tracer the networks are hitting the same routes / rules and hitting the VPN but only 10.94.0.0/16 and 10.98.0.0/24 is passing traffic. The others are getting "Drop-reason: (acl-drop) Flow is denied by configured rule" but I have no idea why.
when checking the ASP table I can see the drops but - its saying ACL Drop but there is no difference between the 10.97.0.0/24 and 10.98.0.0/24 networks rule wise
259: 09:53:07.166327 10.97.0.10 > 10.94.0.4: icmp: echo request Drop-reason: (acl-drop) Flow is denied by configured rule
From the IPSEC tunnel I can see the decaps constantly increasing but the ASA is dropping this traffic for some reason
Show Isakmp SA
37524769 2.2.2.2/500 1.1.1.1/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA384, DH Grp:24, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/7461 sec
Child sa: local selector 10.94.0.0/0 - 10.94.255.255/65535
remote selector 10.98.0.0/0 - 10.98.0.255/65535
ESP spi in/out: 0x301c6821/0x66ad55bc
Child sa: local selector 10.94.0.0/0 - 10.94.255.255/65535
remote selector 10.97.0.0/0 - 10.97.0.255/65535
ESP spi in/out: 0xe738b954/0x6a4ef8fe
Child sa: local selector 10.95.0.0/0 - 10.95.0.255/65535
remote selector 10.98.0.0/0 - 10.98.0.255/65535
ESP spi in/out: 0x95c7a7b5/0x6611509c
Child sa: local selector 10.95.0.0/0 - 10.95.0.255/65535
remote selector 10.97.0.0/0 - 10.97.0.255/65535
ESP spi in/out: 0x25a7bc51/0x466ea2a8
Show IPSEC SA
access-list AZURE_VPN extended permit ip 10.94.0.0 255.255.0.0 10.98.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.94.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.98.0.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 72338, #pkts encrypt: 72338, #pkts digest: 72338
#pkts decaps: 27191, #pkts decrypt: 27191, #pkts verify: 27191
access-list AZURE_VPN extended permit ip 10.94.0.0 255.255.0.0 10.97.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.94.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.97.0.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 17541, #pkts decrypt: 17541, #pkts verify: 17541
access-list AZURE_VPN extended permit ip 10.95.0.0 255.255.255.0 10.97.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.95.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.97.0.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 5488, #pkts decrypt: 5488, #pkts verify: 5488
access-list AZURE_VPN extended permit ip 10.95.0.0 255.255.255.0 10.98.0.0 255.255.255.0
local ident (addr/mask/prot/port): (10.95.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.98.0.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 9005, #pkts decrypt: 9005, #pkts verify: 9005
Anyone have any ideas for me?
Much appreciated
Gary
09-21-2017 04:30 AM
Hi,
try ping while terminal monitor is enabled and see which rule is matched. ASA logs denied packets by ACL. Just make sure the monitor logging as information.
09-21-2017 04:53 AM
Thanks Mohammed,
I am remotely accessing the firewall and its a production firewall so a lot of stuff passing through so would rather not turn on termial logging.
I would have thought ASDM would would show me the drops? But nothing showing in there for the traffic.
I have captures set up for the traffic also but nothing in them either but I am seeing the drops in the ASP table. If memory servers me correct, if the ASP table shows the drops the traffic wont appear in the ASDM logs or captures - but not 100% sure on that
capture azure1 type raw-data interface REMOTE [Capturing - 0 bytes]
match icmp host 10.98.0.20 host 10.95.0.5
capture azure2 type raw-data interface REMOTE [Capturing - 0 bytes]
match icmp host 10.97.0.10 host 10.94.0.4
capture azure3 type raw-data interface REMOTE [Capturing - 0 bytes]
match icmp host 10.97.0.10 host 10.95.0.5
My global policy is not inspecting icmp traffic so not sure what is happening here.
Regards
Gary
09-21-2017 06:56 AM
09-21-2017 08:59 AM
Thanks Mohammad,
Term monitor didnt show me anything.
If you have any other suggestions let me know
I am on a project for the next week so will have to revist this one. If i figure it out in the meantime I'll post what it was
thanks
Gary
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: