cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
761
Views
0
Helpful
6
Replies

L2L vpn issue ASA 5505

Bart Kersten
Level 1
Level 1

Hi,

We have 2 sites connected through an ipsec site to site vpn tunnel.

Ike phases are succesfull, so the vpn tunnel establishes.

The problem that at one site i see tx and rx and on the other site i only have tx.

So traffic is going over the tunnel only it cannot go back. Although i did a packet capture on the ASA that has tx and rx and i clearly saw that i tryed to send back an echo reply on the packets that were send from the site who only has tx.

The other weird thing is that there is no logging on the asa that indicates that there is something wrong with the vpn. No errors or anything.

Most of the times when i'm troublshooting a VPN i see logging on misconfigured NAT or acls. But i see no logging at all.

I tested both asas with a third location building VPNs in both directions from ASA 3 and both sites pass traffic over the VPN tunnel without a problem.

I'm totally confused, is there someone who has encounterd this problem before?

Any help is welcome, thanks in advance.

Bart

Sent from Cisco Technical Support iPhone App

6 Replies 6

Bart Kersten
Level 1
Level 1

I did some further invetigation and saw that the site that only has TX is not decrypting the packets:

#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

The site who has TX adn RX is decrypting the packets:

#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3

      #pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

Ive been searching the web again, found some resolutions but all didnt work Also too mention, the VPN did always work untill a week or so. I have thought about routing issues in the provider network but the said that this was not possible.

Hi Bart,

If the traffic actually leaves the other side back towards the 5505 then it shouldn't be a NAT or routing issue.

It resembles an ESP filtering issue. What's in front of the ASA 5505 that only sees tx and no rx? maybe they are filtering incoming ESP packets with an ACL...

Hope that helps,

Patrick

Hi thanks for the reply,

In front of that ASA sits a genexis device, its a fiber to the home line. We've already contacted their provider and they said they didnt filter ESP. Below see the packet-capture that i did, the site that only has TX is Dodrecht. Local subnets are

192.168.10.0 -> ASA ---------------NET----------------ASA <-192.168.11.0

The site 192.168.10.0 only has TX and the site 192.168.11.0 has both TX adn RX, see packet capture below:

Packet-capture Rotterdam

access-list CAP-D extended permit ip host 192.168.11.10 host 192.168.10.1

access-list CAP-D extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list CAP-D extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

capture CAP-D access-list CAP-D interface outside

capture CAP-D access-list CAP-D interface inside

show capture CAP-D

  13: 14:13:45.858262 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

  14: 14:13:45.858567 802.1Q vlan#1 P0 192.168.11.10 > 192.168.10.1: icmp: echo reply

  15: 14:13:50.864350 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

  16: 14:13:50.864579 802.1Q vlan#1 P0 192.168.11.10 > 192.168.10.1: icmp: echo reply

  17: 14:13:55.855546 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

  18: 14:13:55.855821 802.1Q vlan#1 P0 192.168.11.10 > 192.168.10.1: icmp: echo reply

  19: 14:14:00.861817 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

  20: 14:14:00.862122 802.1Q vlan#1 P0 192.168.11.10 > 192.168.10.1: icmp: echo reply

  21: 14:14:05.852723 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

  22: 14:14:05.853044 802.1Q vlan#1 P0 192.168.11.10 > 192.168.10.1: icmp: echo reply

Packet-capture Dordrecht

access-list CAP-R extended permit ip host 192.168.10.1 host 192.168.11.10

access-list CAP-R extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0

access-list CAP-R extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

capture CAP-R access-list CAP-R interface outside

capture CAP-R access-list CAP-R interface inside

show capture CAP-R

14 packets captured

   1: 14:21:45.790364 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

   2: 14:21:50.796620 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

   3: 14:21:55.787450 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

   4: 14:22:00.794178 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

   5: 14:22:05.786702 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

   6: 14:22:10.791234 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

   7: 14:22:15.378932 802.1Q vlan#1 P0 192.168.10.1.54261 > 192.168.11.10.161:  udp 78

   8: 14:22:15.782170 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

   9: 14:22:20.788624 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

  10: 14:22:25.779424 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

  11: 14:22:26.218616 802.1Q vlan#1 P0 192.168.10.1.54261 > 192.168.11.10.161:  udp 78

  12: 14:22:30.786122 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

  13: 14:22:35.777456 802.1Q vlan#1 P0 192.168.10.1 > 192.168.11.10: icmp: echo request

  14: 14:22:36.360531 802.1Q vlan#1 P0 192.168.10.1.54261 > 192.168.11.10.161:  udp 78

Some more information:

Sh crypto ipsec sa (site who only has TX)

    Crypto map tag: outside_map, seq num: 1, local addr: 212.84.156.44

      access-list outside_cryptomap extended permit ip 192.168.10.0 255.255.255.0 192.168.11.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)

      current_peer: 95.97.20.134

      #pkts encaps: 629, #pkts encrypt: 629, #pkts digest: 629

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 629, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 212.84.156.44/500, remote crypto endpt.: 95.97.20.134/500

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: FA55339C

      current inbound spi : 8EFCF12B

    inbound esp sas:

      spi: 0x8EFCF12B (2398941483)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 2371584, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3962880/15974)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

    outbound esp sas:

      spi: 0xFA55339C (4199887772)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 2371584, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4285374/15974)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

sh crypto isakmp sa

Session-id:34, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role

354183605     212.84.156.44/500      95.97.20.134/500      READY    RESPONDER

      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/12906 sec

Child sa: local selector  192.168.10.0/0 - 192.168.10.255/65535

          remote selector 192.168.11.0/0 - 192.168.11.255/65535

          ESP spi in/out: 0x8efcf12b/0xfa55339c 


sh crypto ipsec sa (site who has TX and RX)

interface: outside

    Crypto map tag: outside_map, seq num: 1, local addr: 95.97.20.134

      access-list outside_cryptomap extended permit ip 192.168.11.0 255.255.255.0 192.168.10.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)

      current_peer: 212.84.156.44

      #pkts encaps: 653, #pkts encrypt: 653, #pkts digest: 653

      #pkts decaps: 636, #pkts decrypt: 636, #pkts verify: 636

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 653, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 95.97.20.134/500, remote crypto endpt.: 212.84.156.44/500

      path mtu 1500, ipsec overhead 58, media mtu 1500

      current outbound spi: 8EFCF12B

      current inbound spi : FA55339C

    inbound esp sas:

      spi: 0xFA55339C (4199887772)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 274432, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (3916734/15827)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x8EFCF12B (2398941483)

         transform: esp-des esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, }

         slot: 0, conn_id: 274432, crypto-map: outside_map

         sa timing: remaining key lifetime (kB/sec): (4054970/15827)

         IV size: 8 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

sh crypto isakmp sa

IKEv2 SAs:

Session-id:27, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role

2010637695      95.97.20.134/500     212.84.156.44/500      READY    INITIATOR

      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

      Life/Active Time: 86400/13010 sec

Child sa: local selector  192.168.11.0/0 - 192.168.11.255/65535

          remote selector 192.168.10.0/0 - 192.168.10.255/65535

          ESP spi in/out: 0xfa55339c/0x8efcf12b 



Can you triple-check your NAT statements?

You can do a show nat detail and show xlate to see if you have an entry...

Also please post your configs.

Patrick

ajitp2004
Level 1
Level 1

Hi,

The site where the decaps are showing 0, check the NAT applied. Is the remote host NATed? If yes than check that NAT configuration.

Also from the same firewall where decaps are 0, check the routing back to the host. This migh be due to asymetric routing for the host.

-Ajit

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: