Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Issue with VPN site-to-site traffic flow

Hi all,

First time that I try to set a CISCO ASA, so I need to configure a site-to site VPN betwwen a ASA 5505 and ASA 5512x.

Unfortunately, the VPN is UP but no traffic passtrouth. Find the attached file of the ASA sh ru and active VPN status.

Packet Tracer says that an Access List drop the packet but which one?

ScreenShot617.png

Thanks in advance for your help.

Nico/

8 REPLIES
Hall of Fame Super Silver

Re: Issue with VPN site-to-site traffic flow

You have two cryptomaps for site-site VPNs which refernce access-lists:

a. crypto map outside_map 2 match address internet_cryptomap

b. crypto map outside_map 10 match address internet_cryptomap_2

The access lists they refer to...

a. Does not exist but perhaps should be:

access-list internet_cryptomap_1 extended permit ip FID-TAB-network 255.255.255.0 FID-TAB-Cloud 255.255.255.0

name 10.2.55.0 FID-TAB-network

name 10.0.0.0 FID-TAB-Cloud

b is equal to :

access-list internet_cryptomap_2 extended permit ip FID-PRINT-network 255.255.255.0 object-group DM_INLINE_NETWORK_1

name 10.2.59.0 FID-PRINT-network

object-group network DM_INLINE_NETWORK_1

network-object FID-TAB-Cloud 255.255.255.0

network-object FID-PRINT-Cloud 255.255.255.0

name 10.0.0.0 FID-TAB-Cloud

name 10.0.2.0 FID-PRINT-Cloud

Neither of those match the packet-tracer output you show.      

New Member

Re: Issue with VPN site-to-site traffic flow

Thanks for your commetns I have seen that but my problem comes with the L2L between 10.2.1.0/24 (Admin-network) and 10.254.0.0/24 (DC_Unibail-network) access-list called internet_cryptomap.

Never mind for the other.

Hall of Fame Super Silver

Re: Issue with VPN site-to-site traffic flow

Nicolas,

Yes - sorry I missed that access-list when I looked at the configuration the first time. The ACL looks correct. You are also correctly exempting the VPN traffic from NAT with

     access-list ADMIN_nat0_outbound_1 extended permit ip 10.2.1.0 255.255.255.0 DC_Unibail-network 255.255.255.0

So all looks proper in your configuration.

From the status you provided, we see state "MM Active" indicating you have Main Mode Active = a good tunnel created. We also see:

     #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

So your interesting traffic is entering the VPN (encaps) but no replies (decaps) are seen. This most commonly indicates an issue with the distant end configuration. Can you or your partner check their configuration and verify the return traffic path is set correctly to go back into the VPN tunnel and be exempt from NAT?

New Member

Re: Issue with VPN site-to-site traffic flow

So, I have investigated since this morning and now the packet-tracer says me:

I can't find which is "vpn-user"?

Phase: 6

Type: ACCESS-LIST

Subtype: vpn-user

Result: DROP

Config:

Additional Information:

Result:

input-interface: vpnip-unibail

input-status: up

input-line-status: up

output-interface: internet

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

Hall of Fame Super Silver

Re: Issue with VPN site-to-site traffic flow

I did notice your site-site access list internet_cryptomap is also referenced in the following:

group-policy AEROVILLE attributes

vpn-idle-timeout none

vpn-session-timeout none

vpn-filter value internet_cryptomap

vpn-tunnel-protocol IPSec l2tp-ipsec

Could this be the "vpn-user" that is a problem?

Super Bronze

Re: Issue with VPN site-to-site traffic flow

Hi Nicolas and Marvin,

I think that is exactly what the "vpn-user" refers to.

Have had this happen to me couple of times (forget the VPN Filter ACL) since not all customer setups use the VPN Filter ACL but rather have the "no sysopt connection permit-vpn" configuration which allows traffic control on the VPN terminating interface

- Jouni

New Member

Re: Issue with VPN site-to-site traffic flow

With or Without this command the effect is the same

Phase: 10

Type: ACCESS-LIST

Subtype: vpn-user

Result: DROP

Config:

Additional Information:

Super Bronze

Re: Issue with VPN site-to-site traffic flow

Hi,

Looking at the actual attached configuration and this interface "vpnip-unibail" in the output of "packet-tracer" seems to point that this is from the other device used for this L2L VPN which configurations we have not seen?

Does it have a VPN Filter ACL also?

Notice that L2L VPN Filter ACLs should always have the remote network as the source of the ACL. Sounds wierd I know.

- Jouni

428
Views
0
Helpful
8
Replies
CreatePlease to create content