Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec Tunnel established but not able to reach remote Local subnet

Hi,

We established IPsec Tunnel. It was active but I found following issue. Please give your suggestion to troubleshoot it.

  • 1. 192.168.50.0/24 (Site A) able to reach 192.168.90.0/24. (Site B) and Vice Versa
  • 2. 192.168.30.0/24 (Site C) able to reach 192.168.50.0/24 (Site A) but not vice versa.
  • 3. 192.168.10.0/24, 155.220.21.175 (Site A) reaches up to 192.168.90.0/24 (Site B) and vice versa. but not reach to 192.168.50.0/24 (Site A)

Want to access 192.168.30.0/24, 192.168.10.0/24, 155.220.21.175 (Site C) from 192.168.50.0/24 (Site A)

Additionally Tunnel only established if active traffice send from site B.

Thanks & Rgds,

Dhaval Dikshit

9 REPLIES
New Member

Re: IPSec Tunnel established but not able to reach remote Local

Check your routing on site A router

Sent from Cisco Technical Support iPhone App

New Member

IPSec Tunnel established but not able to reach remote Local subn

Thanks, Punit. Additionalily I found following error, it might reach us to nearer to solution. Please suggest if any suggetion.

When I'm doing packet tracer from site B I got following massage.

ASA# packet-trace input outside tcp 192.168.50.220 2000 155.220.21.175 21 detail

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc959c928, priority=1, domain=permit, deny=false

        hits=143495595, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   155.220.21.175  255.255.255.255 inside

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group outside_access_in in interface outside

access-list outside_access_in extended permit ip object-group Tas_Tunnel host 155.220.21.175 log

object-group network Tas_Tunnel

network-object host 192.168.50.50

network-object host 192.168.50.65

network-object host 192.168.50.220

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xca246310, priority=12, domain=permit, deny=false

        hits=1, user_data=0xc793bcc0, cs_id=0x0, flags=0x0, protocol=0

        src ip=192.168.50.220, mask=255.255.255.255, port=0

        dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0

Phase: 4

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc959f4d8, priority=0, domain=inspect-ip-options, deny=true

        hits=3443418, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5

Type: INSPECT

Subtype: inspect-ftp

Result: ALLOW

Config:

class-map inspection_default

match default-inspection-traffic

policy-map global_policy

class inspection_default

  inspect ftp

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc962fa60, priority=70, domain=inspect-ftp, deny=false

        hits=11, user_data=0xc962f8b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=6

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=21, dscp=0x0

Phase: 6

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc9f1c290, priority=12, domain=ipsec-tunnel-flow, deny=true

        hits=167708, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7

Type: NAT-EXEMPT

Subtype: rpf-check

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xc965a700, priority=6, domain=nat-exempt-reverse, deny=false

        hits=2, user_data=0xc965a490, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip=192.168.50.220, mask=255.255.255.255, port=0

        dst ip=155.220.21.175, mask=255.255.255.255, port=0, dscp=0x0

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in  id=0xc95ea328, priority=0, domain=inspect-ip-options, deny=true

        hits=17273465, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xca2f4c98, priority=70, domain=encrypt, deny=false

        hits=2, user_data=0x0, cs_id=0xc9dd8d90, reverse, flags=0x0, protocol=0

        src ip=155.220.21.175, mask=255.255.255.255, port=0

        dst ip=192.168.50.192, mask=255.255.255.192, port=0, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

 

Thanks & Rgrds,

Dhaval Dikshit

New Member

IPSec Tunnel established but not able to reach remote Local subn

Could you share the configuration for Site A.

Do you reqire this ACL?

access-list outside_4_cryptomap extended permit ip192.168.50.192 255.255.255.192 host Tas_Server

New Member

IPSec Tunnel established but not able to reach remote Local subn

Site A config is share in attached document.

Previously there is no issue due to this ACL.

New Member

IPSec Tunnel established but not able to reach remote Local subn

#clear xlate

Check if this works or else ensure that on both peers you have a mirror image of the ACLs

New Member

IPSec Tunnel established but not able to reach remote Local subn

HI Punit,

It's not work for me. Even I checked both end crypto ACL. It's exactly mirror.

Any other idea which help me out?

Thx & Rgds,

Dhaval

New Member

IPSec Tunnel established but not able to reach remote Local subn

Hi Dhaval,

My only other guess is:

If you are using NAT ensure the subnets in site C are exempted on the ASA,

&

route outside 192.168.50.0 255.255.255.0 125.251.18.113 1 the mask here is wrong.

New Member

IPSec Tunnel established but not able to reach remote Local subn

Output of

ASA# packet-trace input outside tcp 192.168.50.220 2000 155.220.21.175 21 detail

indicate drop on Phase:9 is it help us to trouble shoot?

Phase: 9

Type: VPN

Subtype: encrypt

Result: DROP

Config:

Additional Information:

Reverse Flow based lookup yields rule:

out id=0xca2f4c98, priority=70, domain=encrypt, deny=false

        hits=2, user_data=0x0, cs_id=0xc9dd8d90, reverse, flags=0x0, protocol=0

        src ip=155.220.21.175, mask=255.255.255.255, port=0

        dst ip=192.168.50.192, mask=255.255.255.192, port=0, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Thx & Rgds,

Dhaval Dikshit

New Member

IPSec Tunnel established but not able to reach remote Local subn

Hi,

After reconfigure site A config, Our problem is resolved.

Thanks & Rgds,

Dhaval Dikshit

8977
Views
0
Helpful
9
Replies