09-14-2013 05:09 AM
I'm trying to setup an IKEv1 site-to-site vpn in a lab environment. I followed the wizard in asdm on both ends and I can see an AES256 connection when I go to Monitoring -> VPN -> Sessions under the IPsec Site-to-Site menu. The problem is I can't reach any devices on private remote networks. What is confusing is that I don't see anythign in my logs when I try to ping the remote network or reach website on remote network however packet-tracer says everything should go through. The only time packet-tracer fails is when the IPsec site-to-site tunnel is down, but after that fail it prompts the asa to bring it online, I run it again and it works. Here is output from my packet tracer command.
ASA1(config)# packet-tracer input inside tcp 10.1.50.51 80 10.1.60.2 80 det
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac412500, priority=0, domain=inspect-ip-options, deny=true
hits=103, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_10.1.50.0_24 NETWORK_OBJ_10.1.50.0_24 destination static NETWORK_OBJ_10.1.60.0_24 NETWORK_OBJ_10.1.60.0_24 no-proxy-arp route-lookup
Additional Information:
Static translate 10.1.50.51/80 to 10.1.50.51/80
Forward Flow based lookup yields rule:
in id=0xac47ce18, priority=6, domain=nat, deny=false
hits=11, user_data=0xac47a828, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.1.50.0, mask=255.255.255.0, port=0
dst ip/id=10.1.60.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac43d998, priority=0, domain=host-limit, deny=false
hits=11, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac362ba8, priority=70, domain=encrypt, deny=false
hits=3, user_data=0x0, cs_id=0xacc24588, reverse, flags=0x0, protocol=0
src ip/id=10.1.50.0, mask=255.255.255.0, port=0
dst ip/id=10.1.60.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ASA1(config)#
Here it is again right after running the command:
ASA1(config)# packet-tracer input inside tcp 10.1.50.51 80 10.1.60.2 80 det
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 outside
Phase: 2
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac412500, priority=0, domain=inspect-ip-options, deny=true
hits=105, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static NETWORK_OBJ_10.1.50.0_24 NETWORK_OBJ_10.1.50.0_24 destination static NETWORK_OBJ_10.1.60.0_24 NETWORK_OBJ_10.1.60.0_24 no-proxy-arp route-lookup
Additional Information:
Static translate 10.1.50.51/80 to 10.1.50.51/80
Forward Flow based lookup yields rule:
in id=0xac47ce18, priority=6, domain=nat, deny=false
hits=12, user_data=0xac47a828, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.1.50.0, mask=255.255.255.0, port=0
dst ip/id=10.1.60.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 4
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac43d998, priority=0, domain=host-limit, deny=false
hits=12, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac401b98, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x38334, cs_id=0xacc24588, reverse, flags=0x0, protocol=0
src ip/id=10.1.50.0, mask=255.255.255.0, port=0
dst ip/id=10.1.60.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside
Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xa87bb8f8, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=1, user_data=0x43c54, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.1.60.0, mask=255.255.255.0, port=0
dst ip/id=10.1.50.0, mask=255.255.255.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac439f80, priority=0, domain=inspect-ip-options, deny=true
hits=437, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 443, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ASA1(config)#
ASA1(config)# show crypto ikev1 sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
1 IKE Peer: 68.231.6.110
Type : user Role : responder
Rekey : no State : AM_ACTIVE
2 IKE Peer: 65.23.153.227
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
Solved! Go to Solution.
09-16-2013 01:33 PM
Packets don't go through the ASA as the hosts don't have a route pointing to ASA inside IP address. (10.1.50.1 and 10.1.60.1)
Something like this
10.1.60.0 255.255.255.0 gateway 10.1.50.1
and vica versa
09-14-2013 02:00 PM
show conn detail long
09-14-2013 02:25 PM
ASA1# show conn detail long
1 in use, 2 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
ASA2# show conn detail long
4 in use, 7 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module
09-14-2013 02:27 PM
I mean while trying to send TCP traffic
09-14-2013 02:33 PM
ASA1 is trying to reach 10.1.60.3 or 10.1.60.2 on the same inside network as ASA2.
ASA1# show conn detail long
5 in use, 5 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module
UDP outside:10.1.50.51/138 (10.1.50.51/138) inside:10.1.50.255/138 (10.1.50.255/138), flags -, idle 48s, uptime 1m4s, timeout 2m0s, bytes 2526
UDP outside:10.1.50.51/137 (10.1.50.51/137) inside:10.1.50.255/137 (10.1.50.255/137), flags -, idle 49s, uptime 1m12s, timeout 2m0s, bytes 2014
ASA2# show conn detail long
19 in use, 22 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module
UDP outside:10.1.60.51/49712 (10.1.60.51/49712) inside:10.1.60.2/53 (10.1.60.2/53), flags -, idle 27s, uptime 27s, timeout 2m0s, bytes 33
UDP outside:10.1.60.51/55737 (10.1.60.51/55737) inside:10.1.60.2/53 (10.1.60.2/53), flags -, idle 30s, uptime 30s, timeout 2m0s, bytes 43
UDP outside:10.1.60.51/65457 (10.1.60.51/65457) inside:10.1.60.2/53 (10.1.60.2/53), flags -, idle 30s, uptime 30s, timeout 2m0s, bytes 43
UDP outside:10.1.60.51/58221 (10.1.60.51/58221) inside:10.1.60.2/53 (10.1.60.2/53), flags -, idle 30s, uptime 30s, timeout 2m0s, bytes 43
UDP outside:10.1.60.51/54759 (10.1.60.51/54759) inside:10.1.60.2/53 (10.1.60.2/53), flags -, idle 32s, uptime 32s, timeout 2m0s, bytes 37
UDP outside:10.1.60.51/64513 (10.1.60.51/64513) inside:10.1.60.2/53 (10.1.60.2/53), flags -, idle 33s, uptime 33s, timeout 2m0s, bytes 28
UDP outside:10.1.60.51/52581 (10.1.60.51/52581) inside:10.1.60.2/53 (10.1.60.2/53), flags -, idle 36s, uptime 36s, timeout 2m0s, bytes 38
UDP outside:10.1.60.51/50192 (10.1.60.51/50192) inside:10.1.60.2/53 (10.1.60.2/53), flags -, idle 37s, uptime 37s, timeout 2m0s, bytes 42
UDP outside:10.1.60.51/58295 (10.1.60.51/58295) inside:10.1.60.2/53 (10.1.60.2/53), flags -, idle 37s, uptime 37s, timeout 2m0s, bytes 37
UDP outside:10.1.60.51/64512 (10.1.60.51/64512) inside:10.1.60.2/53 (10.1.60.2/53), flags -, idle 37s, uptime 37s, timeout 2m0s, bytes 37
UDP outside:10.1.60.51/54758 (10.1.60.51/54758) inside:10.1.60.2/53 (10.1.60.2/53), flags -, idle 37s, uptime 37s, timeout 2m0s, bytes 32
UDP outside:10.1.60.51/138 (10.1.60.51/138) inside:10.1.60.255/138 (10.1.60.255/138), flags -, idle 23s, uptime 39s, timeout 2m0s, bytes 2526
UDP outside:10.1.60.51/137 (10.1.60.51/137) inside:10.1.60.255/137 (10.1.60.255/137), flags -, idle 24s, uptime 47s, timeout 2m0s, bytes 2014
09-14-2013 02:49 PM
I guess you mixed up the inside and outside cables.
This is an src IP and port:
UDP outside:10.1.60.51/49712
09-15-2013 06:40 AM
Maybe not the cables because nothing would work at that point however it's possible I may have botched that in the site to site configuration somewhere. I haven't been able to find the error in my config file
09-15-2013 01:00 PM
ASA1 sees packets from 10.1.50.51/138 on the outside interface.
ASA2 sees packets from 10.1.60.51/49712 on the outside interface.
Don't you think the PC's are connected in the wrong zone?
09-15-2013 06:52 PM
10.1.50.51 and 10.1.60.51 are both vpn clients which might explain why they are showing up on the outside interface. should they still show up on the inside interface if they are vpn clients? If so could you show me the line in my configuration that needs to be set to inside in order to correct the problem?
09-15-2013 11:15 PM
Sorry, from the topic title I concluded that we are dealing with a site-to-site scenario and did not take VPN clients into account. Just rate it with 1 star. (-:
However, what we need to inspect is traffic originating from a LAN1 PC destined to LAN2 PC and the live output of
show conn det long
Keep sending all kinds of traffic (fast hands) until you get some output with the PC IP addresses.
09-16-2013 01:16 AM
I'm not getting anything when I try to send packets from hosts on the same LAN as the ASA. Here my routes for both machines as well as the output from the command.
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 65.23.154.1 0.0.0.0 UG 0 0 0 xenbr0
10.1.60.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
65.23.129.0 0.0.0.0 255.255.255.0 U 0 0 0 xenbr0
65.23.154.0 0.0.0.0 255.255.255.0 U 0 0 0 xenbr0
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.1.3 0.0.0.0 UG 0 0 0 eth0
10.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.1.50.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
ASA1# show conn detail long
0 in use, 5 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module
ASA2# show conn detail long
0 in use, 22 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module
I tried generating trafic with pings, refreshing page and also tried a program called Mausezahn and the above output is all I got.
09-16-2013 01:33 PM
Packets don't go through the ASA as the hosts don't have a route pointing to ASA inside IP address. (10.1.50.1 and 10.1.60.1)
Something like this
10.1.60.0 255.255.255.0 gateway 10.1.50.1
and vica versa
09-17-2013 05:24 AM
Peter, thank you that seems to have fixed the problem for lan users. One last question and I should be good to go. How would I be able to get the same affect for VPN users? I added an ACE (where I setup split tunneling originally) for the remote networks but I am unable to reach the other site's local network.
09-17-2013 08:27 AM
On top of the ACE I needed to add this line to my configuration.
same-security-traffic permit intra-interface
My site to site vpn is working now, though if anyone knows where I could find that option in the ASDM that would be the only thing left that I am still trying to figure out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide