Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN issue on ASA (5510&5505)

Hi All,

Im currently having a serious issue setting up a simple Site to Site VPN.

I have used this as  guide: http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5500/quick/guide/sitvpn_b.html

i have the the following setup:

A
10.10.10.0  are PERMITTED to use this IPSec tunnel to communicate with the remote-site 10.20.20.0

B
10.20.20.0  are PERMITTED to use this IPSec tunnel to communicate with the remote-site 10.10.10.0

site B can ping A, but A cant ping B.

Any ideas What Im dong wrong? I have other VPN's running with no issue, but thisa one is just not working...

Exempt ASA side host network from address translation check box is ticked on both sides...

The VPN was created with the ASDM Site to Site VPN wizard.

Help!

Everyone's tags (5)
12 REPLIES
Super Bronze

Re: Site to Site VPN issue on ASA (5510&5505)

A few things to check is if you have any access-list that might be blocking ICMP. Also check if icmp inspection has been configured on both ASA.

Lastly, check if host B has any personal firewall that might be blocking incoming pings.

New Member

Re: Site to Site VPN issue on ASA (5510&5505)

it's not realy about the pings I can't access anythign on the A side, not even the router...

Cisco Employee

Re: Site to Site VPN issue on ASA (5510&5505)

Hi Ruben,

Can you paste your config here ?

Thanks,

Namit

New Member

Re: Site to Site VPN issue on ASA (5510&5505)

Just an update, I have just realised I can browse to the servers from B to A!

so right now I cannot remote onto the servers or ping them...anything related to rdp/ssl maybe?

I can remote and ping from A to B, but fro some odd reason cant ping or access my ESXi server through the Vsphere client, assuming somewhere along the line SSL is being blocked?

Is there any command that I can execute that will get the relevante information, I have just tried sanatizing the Sh Run, and it will just mixp thingsas there is soo much information that i would have to remove.

Super Bronze

Re: Site to Site VPN issue on ASA (5510&5505)

Where is the traffic actually failing, ie: at which point?

Without looking at the config, it's difficult to tell where exactly is the problem.

It could be access-list, or inspection.

What does the output of "show cry ipsec sa" shows on both sides?

Try packet tracer on the ASA, and it will tell you where it might fail if it's the ASA. If not, then it could be other things within the network. Are the server subnets directly connected to the ASA?

New Member

Re: Site to Site VPN issue on ASA (5510&5505)

Please see below:

                              ASA 5505             ASA5510

10.253.254.0/24  -- 38.101.x.x << -->> 91.75.x.x -- 10.252.254.0/24

One side:

Result of the command: "show crypto IPsec sa"

interface: outside
    Crypto map tag: outside_dyn_map, seq num: 20, local addr: 38.101.x.x

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.253.254.10/255.255.255.255/0/0)
      current_peer: xx, username: xx
      dynamic allocated peer ip: 10.253.254.10

      #pkts encaps: 22768, #pkts encrypt: 22768, #pkts digest: 22768
      #pkts decaps: 21470, #pkts decrypt: 21470, #pkts verify: 21470
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 22768, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 38.101.x.x, remote crypto endpt.: 80.227.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 8D808986

    inbound esp sas:
      spi: 0xBF34948C (3207894156)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 878, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28245
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x8D808986 (2374011270)
         transform: esp-3des esp-sha-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 878, crypto-map: outside_dyn_map
         sa timing: remaining key lifetime (sec): 28245
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: outside_map, seq num: 1, local addr: 38.101.x.x

      access-list outside_1_cryptomap permit ip 10.253.254.0 255.255.255.0 10.252.254.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.253.254.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.252.254.0/255.255.255.0/0/0)
      current_peer: 91.75.x.x

      #pkts encaps: 6751, #pkts encrypt: 6751, #pkts digest: 6751
      #pkts decaps: 6719, #pkts decrypt: 6719, #pkts verify: 6719
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 6751, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 38.101.x.x, remote crypto endpt.: 91.75.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 574368C8

    inbound esp sas:
      spi: 0x24B29DEA (615685610)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 880, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824559/22591)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x574368C8 (1464035528)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 880, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (3824556/22591)
         IV size: 8 bytes
         replay detection support: Y

Other Side:

Result of the command: "show crypto IPsec sa"

interface: Outside
    Crypto map tag: Outside_map, seq num: 80, local addr: 91.75.x.x

      access-list Outside_cryptomap_80 permit ip 10.252.254.0 255.255.255.0 10.253.254.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.252.254.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.253.254.0/255.255.255.0/0/0)
      current_peer: 38.101.x.x

      #pkts encaps: 6814, #pkts encrypt: 6814, #pkts digest: 6814
      #pkts decaps: 6840, #pkts decrypt: 6840, #pkts verify: 6840
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 6814, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 91.75.x.x, remote crypto endpt.: 38.101.x.x

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 24B29DEA

    inbound esp sas:
      spi: 0x574368C8 (1464035528)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 32, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4274551/22497)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x24B29DEA (615685610)
         transform: esp-3des esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 32, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (4274554/22497)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: Outside_dyn_map, seq num: 20, local addr: 91.75.35.140

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.252.254.101/255.255.255.255/0/0)
      current_peer: 109.70.x.x, username: x.x
      dynamic allocated peer ip: 10.252.254.101

      #pkts encaps: 9843, #pkts encrypt: 9843, #pkts digest: 9843
      #pkts decaps: 15702, #pkts decrypt: 15702, #pkts verify: 15702
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9843, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 91.75.x.x/4500, remote crypto endpt.: 109.70.x.x/4261
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: F7DD7D3C

    inbound esp sas:
      spi: 0x365FE11A (912253210)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 30, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 8302
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0xF7DD7D3C (4158487868)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={RA, Tunnel,  NAT-T-Encaps, }
         slot: 0, conn_id: 30, crypto-map: Outside_dyn_map
         sa timing: remaining key lifetime (sec): 8302
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: Outside_map, seq num: 60, local addr: 91.75.35.140

      access-list Outside_cryptomap_60 permit ip 10.252.254.0 255.255.255.0 10.251.254.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.252.254.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.251.254.0/255.255.255.0/0/0)
      current_peer: 202.63.x.x

      #pkts encaps: 45386, #pkts encrypt: 45386, #pkts digest: 45386
      #pkts decaps: 40752, #pkts decrypt: 40752, #pkts verify: 40752
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 45386, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 91.75x.x, remote crypto endpt.: 202.63.x.x

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 4D2D3910

    inbound esp sas:
      spi: 0x35E0B702 (903919362)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 31, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3819169/6856)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x4D2D3910 (1294809360)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 31, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3805674/6856)
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: Outside_map, seq num: 20, local addr: 91.75.35.140

      access-list Outside_cryptomap_20_2 permit ip 192.168.0.0 255.255.255.0 10.254.254.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.0.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.254.254.0/255.255.255.0/0/0)
      current_peer: 216.107.x.x

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 510, #pkts decrypt: 510, #pkts verify: 510
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 91.75.x.x, remote crypto endpt.: 216.107.x.x

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 0A800416

    inbound esp sas:
      spi: 0x8389203F (2206801983)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 26, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3824993/4605)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x0A800416 (176161814)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 26, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3825000/4605)
         IV size: 16 bytes
         replay detection support: Y

    Crypto map tag: Outside_map, seq num: 20, local addr: 91.75.x.x

      access-list Outside_cryptomap_20_2 permit ip 10.252.254.0 255.255.255.0 10.254.254.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.252.254.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.254.254.0/255.255.255.0/0/0)
      current_peer: 216.107.x.x

      #pkts encaps: 340798, #pkts encrypt: 340798, #pkts digest: 340798
      #pkts decaps: 404622, #pkts decrypt: 404622, #pkts verify: 404622
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 340798, #pkts comp failed: 0, #pkts decomp failed: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 91.75.x.x, remote crypto endpt.: 216.107.x.x

      path mtu 1500, ipsec overhead 74, media mtu 1500
      current outbound spi: 58AF6FDC

    inbound esp sas:
      spi: 0x0E076F75 (235368309)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 26, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3824672/28177)
         IV size: 16 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x58AF6FDC (1487892444)
         transform: esp-aes-256 esp-sha-hmac none
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 26, crypto-map: Outside_map
         sa timing: remaining key lifetime (kB/sec): (3824835/28177)
         IV size: 16 bytes
         replay detection support: Y

Super Bronze

Re: Site to Site VPN issue on ASA (5510&5505)

Doesn't appear to be VPN problem at least from the output provided.

Have you tested packet-tracer? what is the result? where does it say it's failing?

New Member

Re: Site to Site VPN issue on ASA (5510&5505)

       Site A              ASA 5505             ASA5510        Site B

10.253.254.0/24  -- 38.101.x.x << -->> 91.75.x.x -- 10.252.254.0/24

All seems ok with the tunnel. my current  problems are:

  • Site A cannot ping/tracert or  RDP anything on Site B but can browse to the servers
  • Site B can ping and access all IP's on Site A accept one specific IP which belongs to my ESX Server

Any idea on the above?

these are my security policies for Site A:

and for Site B:

Super Bronze

Re: Site to Site VPN issue on ASA (5510&5505)

  • Site A cannot ping/tracert or  RDP anything on Site B but can browse to the servers

In regards to ping, have you enabled ICMP inspection on the ASA?

With RDP, can you telnet on port 3389? Is the server allowing RDP?

  • Site B can ping and access all IP's on Site A accept one specific IP which belongs to my ESX Server

Sounds like an ESX server issue to me.

So far, all the issues sounds more networking issues than related to VPN tunnel, or firewall policy as you have allowed everything to go through between the 2 subnets. I would suggest that you investigate hop by hop and see where it is failing.

New Member

Re: Site to Site VPN issue on ASA (5510&5505)

  • i can't telnet or tracert to anything on the other LAN (Site B)... - Any idea how I can enable the ICMP on the ASA through the ASDM?

  • There is nothing wrong with the ESXI server, I can ping it and conect to it with no problem at all if Im connected to the LAN through the VPN or from the servers.
Super Bronze

Re: Site to Site VPN issue on ASA (5510&5505)

Go to Configuration --> Firewall --> Service Policy Rules --> right click on "inspection_default" --> Edit ... --> Rule Actions --> enabled both ICMP and ICMP error --> OK --> Apply

New Member

Re: Site to Site VPN issue on ASA (5510&5505)

Seems a little different on the 5505:

there is no default..do I create a global SCR?

5881
Views
0
Helpful
12
Replies