Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10539
Views
0
Helpful
9
Replies

IPSec Tunnel established but not able to reach remote Local subnet

Dhaval Dikshit
Level 1
Level 1

‎05-10-2012 10:26 PM - edited ‎02-21-2020 06:03 PM

Hi,

We established IPsec Tunnel. It was active but I found following issue. Please give your suggestion to troubleshoot it.

  • 1. 192.168.50.0/24 (Site A) able to reach 192.168.90.0/24. (Site B) and Vice Versa
  • 2. 192.168.30.0/24 (Site C) able to reach 192.168.50.0/24 (Site A) but not vice versa.
  • 3. 192.168.10.0/24, 155.220.21.175 (Site A) reaches up to 192.168.90.0/24 (Site B) and vice versa. but not reach to 192.168.50.0/24 (Site A)

Want to access 192.168.30.0/24, 192.168.10.0/24, 155.220.21.175 (Site C) from 192.168.50.0/24 (Site A)

Additionally Tunnel only established if active traffice send from site B.

Thanks & Rgds,

Dhaval Dikshit

Labels:
Preview file
32 KB
0 Helpful
9 Replies 9

Punit Jethva
Level 1
Level 1

‎05-11-2012 06:05 AM

Check your routing on site A router

Sent from Cisco Technical Support iPhone App

0 Helpful

Dhaval Dikshit
Level 1
Level 1
In response to Punit Jethva

‎05-12-2012 12:21 AM

Thanks, Punit. Additionalily I found following error, it might reach us to nearer to solution. Please suggest if any suggetion.

When I'm doing packet tracer from site B I got following massage.

ASA# packet-trace input outside tcp 192.168.50.220 2000 155.220.21.175 21 detail

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc959c928, priority=1, domain=permit, deny=false

        hits=143495595, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   155.220.21.175  255.255.255.255 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit ip object-group Tas_Tunnel host 155.220.21.175 log

object-group network Tas_Tunnel

network-object host 192.168.50.50

network-object host 192.168.50.65

network-object host 192.168.50.220

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca246310, priority=12, domain=permit, deny=false

        hits=1, user_data=0xc793bcc0, cs_id=0x0, flags=0x0, protocol=0

        src ip=192.168.50.220, mask=255.255.255.255, port=0

        dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc959f4d8, priority=0, domain=inspect-ip-options, deny=true

        hits=3443418, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect ftp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc962fa60, priority=70, domain=inspect-ftp, deny=false

        hits=11, user_data=0xc962f8b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9f1c290, priority=12, domain=ipsec-tunnel-flow, deny=true

        hits=167708, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc965a700, priority=6, domain=nat-exempt-reverse, deny=false

        hits=2, user_data=0xc965a490, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip=192.168.50.220, mask=255.255.255.255, port=0

        dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xc95ea328, priority=0, domain=inspect-ip-options, deny=true

        hits=17273465, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xca2f4c98, priority=70, domain=encrypt, deny=false

        hits=2, user_data=0x0, cs_id=0xc9dd8d90, reverse, flags=0x0, protocol=0

        src ip=155.220.21.175, mask=255.255.255.255, port=0

        dst ip=192.168.50.192, mask=255.255.255.192, port=0, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

 

Thanks & Rgrds,

Dhaval Dikshit

0 Helpful

Punit Jethva
Level 1
Level 1
In response to Dhaval Dikshit

‎05-13-2012 10:32 PM

Could you share the configuration for Site A.

Do you reqire this ACL?

access-list outside_4_cryptomap extended permit ip192.168.50.192 255.255.255.192 host Tas_Server

0 Helpful

Dhaval Dikshit
Level 1
Level 1
In response to Punit Jethva

‎05-14-2012 01:17 AM

Site A config is share in attached document.

Previously there is no issue due to this ACL.

0 Helpful

Punit Jethva
Level 1
Level 1
In response to Dhaval Dikshit

‎05-14-2012 01:56 AM

#clear xlate

Check if this works or else ensure that on both peers you have a mirror image of the ACLs

0 Helpful

Dhaval Dikshit
Level 1
Level 1
In response to Punit Jethva

‎05-14-2012 03:44 AM

HI Punit,

It's not work for me. Even I checked both end crypto ACL. It's exactly mirror.

Any other idea which help me out?

Thx & Rgds,

Dhaval

0 Helpful

Punit Jethva
Level 1
Level 1
In response to Dhaval Dikshit

‎05-14-2012 04:05 AM

Hi Dhaval,

My only other guess is:

If you are using NAT ensure the subnets in site C are exempted on the ASA,

&

route outside 192.168.50.0 255.255.255.0 125.251.18.113 1 the mask here is wrong.

0 Helpful

Dhaval Dikshit
Level 1
Level 1
In response to Punit Jethva

‎05-14-2012 04:22 AM

Output of

ASA# packet-trace input outside tcp 192.168.50.220 2000 155.220.21.175 21 detail

indicate drop on Phase:9 is it help us to trouble shoot?

Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xca2f4c98, priority=70, domain=encrypt, deny=false

        hits=2, user_data=0x0, cs_id=0xc9dd8d90, reverse, flags=0x0, protocol=0

        src ip=155.220.21.175, mask=255.255.255.255, port=0

        dst ip=192.168.50.192, mask=255.255.255.192, port=0, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thx & Rgds,

Dhaval Dikshit

0 Helpful

Dhaval Dikshit
Level 1
Level 1
In response to Dhaval Dikshit

‎05-17-2012 01:48 AM

Hi,

After reconfigure site A config, Our problem is resolved.

Thanks & Rgds,

Dhaval Dikshit

0 Helpful
Customers Also Viewed These Support Documents