Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3239
Views
0
Helpful
6
Replies

No traffic sent through my IPsec tunnel

Go to solution
FlorianBerthelot
Level 1
Level 1

‎01-05-2014 09:50 PM - edited ‎02-21-2020 07:25 PM

Hi the Support Community,

I have been struggling for days on what is - I guess - something very basic.

I have one router i want to connect to my ASA via VPN. This router has dynamic IP, so I managed to bring up the tunnel with a dynamic crypto map, and the router falls into the DefaultL2LGroup (I guess i have no choice anyway, corrct me if i am wrong). So this part is OK now, the tunnel is UP.

However, from the ASA, i can see packets coming from the tunnel but no packets are sent back from the ASA to the router.

ASA has a private network 192.168.250.0/24 and router has 192.168.242.0/24.

And here is the configuration :

     access-list OPT_cryptomap_2 extended permit ip 192.168.242.0 255.255.255.0

     crypto dynamic-map CIPAC-ENERGY-VALE3 2 match address OPT_cryptomap_2

     crypto map OPT_map 2 ipsec-isakmp dynamic CIPAC-ENERGY-VALE3

I do'nt understand what I am missing. I cannot ping the interface on the ASA (i have a permit icmp any any on the interface) but no Hits.

Does that mean that packets are decpasulated and do not even reach the virtual interface on the ASA?

Tunnel is UP :

Show crypto isakmp sa detail

IKE Peer: 180.214.xx.102

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_ACTIVE

    Encrypt : aes-256         Hash    : SHA

    Auth    : preshared       Lifetime: 86400

     Show crypto

     peer address: 180.214.xx.102

    Crypto map tag: CIPAC-ENERGY-VALE3, seq num: 2, local addr: 202.xxx.xx.14

      access-list OPT_cryptomap_2 extended permit ip 192.168.250.0 255.255.255.0 192.168.242.0 255.255.255.0

      local ident (addr/mask/prot/port): (192.168.250.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.242.0/255.255.255.0/0/0)

      current_peer: 180.214.xx.102

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 90, #pkts decrypt: 80, #pkts verify: 10

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #pkts no sa (send): 0, #pkts invalid sa (rcv): 0

      #pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0

      #pkts invalid prot (rcv): 0, #pkts verify failed: 0

      #pkts invalid identity (rcv): 5, #pkts invalid len (rcv): 0

      #pkts invalid pad (rcv): 0,

      #pkts invalid ip version (rcv): 0,

      #pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0

      #pkts replay failed (rcv): 0

      #pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0

      #pkts internal err (send): 0, #pkts internal err (rcv): 0

      local crypto endpt.: 202.xxx.xx.14/0, remote crypto endpt.: 180.214.xx.102/0

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: B30EBC2B

      current inbound spi : 52DD8189

ping from the ASA interface toward the router :

ASA001# ping

TCP Ping [n]:

Interface: CLT-CIPAC-VALE    (192.168.250.1)

Target IP address: 192.168.242.254

Repeat count: [5]

Datagram size: [100]

Timeout in seconds: [2]

Extended commands [n]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.242.254, timeout is 2 seconds:

?????

Success rate is 0 percent (0/5)

And still no traffic sent through the tunnel.

As i am no familiar with IPSEC any help or guidelines to troubleshhot would be really appreciated, i've already been through a lot of documentation (forums, cisco guides and other blogs).

Best regards

Florian

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to FlorianBerthelot

‎01-06-2014 03:29 PM

If you are trying to ping the inside interface try "management-access inside" and see if this works.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎01-05-2014 11:20 PM

Give this ACL a shot and did exempt the networks from nat?

access-list OPT_cryptomap_2 extended permit ip 192.168.250.0 255.255.255.0 192.168.242.0 255.255.255.0

For NAT

obj-250

subnet 192.168.250.0 255.255.255.0

obj-242

subnet 192.168.242.0 255.255.255.0

nat (inside,outside) source static obj-250 obj-250 destination static obj-242 obj-242

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
FlorianBerthelot
Level 1
Level 1
In response to Tarik Admani

‎01-06-2014 03:24 PM

Hello Tarik,

Thanks for your help, however no chance this didnt do the trick.

I am trying to ping one of the inside Interface on my ASA, wich has an ACL permit icmp any any (for test purposes), but i get 0 hits, although packets are decpasulated and decrypted by the tunnel.

I suppose this means that packets do not even transit from the outside interface to the inside interface ?

I copyed some configuration from another tunnel that works fine but still no chance to make ot work.

I can't find any ways to troubleshoot this any suggestions ?

Tanks a lot !

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to FlorianBerthelot

‎01-06-2014 03:29 PM

If you are trying to ping the inside interface try "management-access inside" and see if this works.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
FlorianBerthelot
Level 1
Level 1
In response to Tarik Admani

‎01-06-2014 03:45 PM

Tarik you made my day !

I've been struggling for so long and you bring the solution ! Awesome !

I just need to figure out how to make communicate the other remote routers all together

All the best and greatest thanks from Noumea !

Florian

0 Helpful

Go to solution
FlorianBerthelot
Level 1
Level 1
In response to Tarik Admani

‎01-06-2014 03:57 PM

However, just wandering, as this interface is the terminaison of my VPN, i guess this is not secure to make it as the managment interface, as the customer can access to my asa using the asdm and so on...

I allowed the ICMP on the interface :

icmp permit 0.0.0.0 0.0.0.0 MY-INSIDE-INTERFACE

but seems like it was not enough to allow a ping from outside... i'm gonna do some research on this but actually i will not leave the management command applyed on this interface..

Best regards,

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to FlorianBerthelot

‎01-06-2014 11:26 PM

Florian,

You still have the ability to limit and restrict on what gains "management" access by using the ssh or http or telnet configuration commands essentially these are like management ACLs that define which networks gain access to your network. If you take a look at the command reference guide -

http://www.cisco.com/en/US/docs/security/asa/command-reference/m1.html#wp2112283

You are allowing the ASA to respond to icmp requests that are coming through the vpn tunnel, you can turn this off but I forgot to mention that this was so you can ping across the tunnel interface.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents