10-10-2013 10:58 AM
Hi,
We have 2 sites connected through an ipsec site to site vpn tunnel.
Ike phases are succesfull, so the vpn tunnel establishes.
The problem that at one site i see tx and rx and on the other site i only have tx.
So traffic is going over the tunnel only it cannot go back. Although i did a packet capture on the ASA that has tx and rx and i clearly saw that i tryed to send back an echo reply on the packets that were send from the site who only has tx.
The other weird thing is that there is no logging on the asa that indicates that there is something wrong with the vpn. No errors or anything.
Most of the times when i'm troublshooting a VPN i see logging on misconfigured NAT or acls. But i see no logging at all.
I tested both asas with a third location building VPNs in both directions from ASA 3 and both sites pass traffic over the VPN tunnel without a problem.
I'm totally confused, is there someone who has encounterd this problem before?
Any help is welcome, thanks in advance.
Bart
Sent from Cisco Technical Support iPhone App
10-11-2013 07:35 AM
I did some further invetigation and saw that the site that only has TX is not decrypting the packets:
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
The site who has TX adn RX is decrypting the packets:
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
Ive been searching the web again, found some resolutions but all didnt work Also too mention, the VPN did always work untill a week or so. I have thought about routing issues in the provider network but the said that this was not possible.
10-11-2013 12:44 PM
Hi Bart,
If the traffic actually leaves the other side back towards the 5505 then it shouldn't be a NAT or routing issue.
It resembles an ESP filtering issue. What's in front of the ASA 5505 that only sees tx and no rx? maybe they are filtering incoming ESP packets with an ACL...
Hope that helps,
Patrick
10-14-2013 06:58 AM
Hi thanks for the reply,
In front of that ASA sits a genexis device, its a fiber to the home line. We've already contacted their provider and they said they didnt filter ESP. Below see the packet-capture that i did, the site that only has TX is Dodrecht. Local subnets are
192.168.10.0 -> ASA ---------------NET----------------ASA <-192.168.11.0
The site 192.168.10.0 only has TX and the site 192.168.11.0 has both TX adn RX, see packet capture below:
Packet-capture Rotterdam
access-list CAP-D extended permit ip host 192.168.11.10 host 192.168.10.1
access-list CAP-D extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list CAP-D extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
capture CAP-D access-list CAP-D interface outside
capture CAP-D access-list CAP-D interface inside
show capture CAP-D
13: 14:13:45.858262 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
14: 14:13:45.858567 802.1Q vlan#1 P0 192.168.11.10 > 192.168.10.1: icmp: echo reply
15: 14:13:50.864350 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
16: 14:13:50.864579 802.1Q vlan#1 P0 192.168.11.10 > 192.168.10.1: icmp: echo reply
17: 14:13:55.855546 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
18: 14:13:55.855821 802.1Q vlan#1 P0 192.168.11.10 > 192.168.10.1: icmp: echo reply
19: 14:14:00.861817 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
20: 14:14:00.862122 802.1Q vlan#1 P0 192.168.11.10 > 192.168.10.1: icmp: echo reply
21: 14:14:05.852723 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
22: 14:14:05.853044 802.1Q vlan#1 P0 192.168.11.10 > 192.168.10.1: icmp: echo reply
Packet-capture Dordrecht
access-list CAP-R extended permit ip host 192.168.10.1 host 192.168.11.10
access-list CAP-R extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list CAP-R extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
capture CAP-R access-list CAP-R interface outside
capture CAP-R access-list CAP-R interface inside
show capture CAP-R
14 packets captured
1: 14:21:45.790364 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
2: 14:21:50.796620 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
3: 14:21:55.787450 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
4: 14:22:00.794178 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
5: 14:22:05.786702 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
6: 14:22:10.791234 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
7: 14:22:15.378932 802.1Q vlan#1 P0 192.168.10.1.54261 > 192.168.11.10.161: udp 78
8: 14:22:15.782170 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
9: 14:22:20.788624 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
10: 14:22:25.779424 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
11: 14:22:26.218616 802.1Q vlan#1 P0 192.168.10.1.54261 > 192.168.11.10.161: udp 78
12: 14:22:30.786122 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
13: 14:22:35.777456 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request
14: 14:22:36.360531 802.1Q vlan#1 P0 192.168.10.1.54261 > 192.168.11.10.161: udp 78
10-14-2013 07:40 AM
Some more information:
Sh crypto ipsec sa (site who only has TX)
Crypto map tag: outside_map, seq num: 1, local addr: 212.84.156.44
access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
current_peer: 95.97.20.134
#pkts encaps: 629, #pkts encrypt: 629, #pkts digest: 629
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 629, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 212.84.156.44/500, remote crypto endpt.: 95.97.20.134/500
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: FA55339C
current inbound spi : 8EFCF12B
inbound esp sas:
spi: 0x8EFCF12B (2398941483)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2371584, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3962880/15974)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xFA55339C (4199887772)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2371584, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4285374/15974)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
sh crypto isakmp sa
Session-id:34, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
354183605 212.84.156.44/500 95.97.20.134/500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/12906 sec
Child sa: local selector 192.168.10.0/0 - 192.168.10.255/65535
remote selector 192.168.11.0/0 - 192.168.11.255/65535
ESP spi in/out: 0x8efcf12b/0xfa55339c
sh crypto ipsec sa (site who has TX and RX)
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 95.97.20.134
access-list outside_cryptomap extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
current_peer: 212.84.156.44
#pkts encaps: 653, #pkts encrypt: 653, #pkts digest: 653
#pkts decaps: 636, #pkts decrypt: 636, #pkts verify: 636
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 653, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 95.97.20.134/500, remote crypto endpt.: 212.84.156.44/500
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 8EFCF12B
current inbound spi : FA55339C
inbound esp sas:
spi: 0xFA55339C (4199887772)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 274432, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (3916734/15827)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x8EFCF12B (2398941483)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 274432, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4054970/15827)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
sh crypto isakmp sa
IKEv2 SAs:
Session-id:27, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
2010637695 95.97.20.134/500 212.84.156.44/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/13010 sec
Child sa: local selector 192.168.11.0/0 - 192.168.11.255/65535
remote selector 192.168.10.0/0 - 192.168.10.255/65535
ESP spi in/out: 0xfa55339c/0x8efcf12b
10-15-2013 07:57 AM
Can you triple-check your NAT statements?
You can do a show nat detail and show xlate to see if you have an entry...
Also please post your configs.
Patrick
10-15-2013 05:48 PM
Hi,
The site where the decaps are showing 0, check the NAT applied. Is the remote host NATed? If yes than check that NAT configuration.
Also from the same firewall where decaps are 0, check the routing back to the host. This migh be due to asymetric routing for the host.
-Ajit
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: