DROP in flow of the IPSec tunnel
Hello
I am trying to use a VPN, who worked on one connection ASA months on ASA9.1 (2). I've updated to ASA9.1 11 (6) and it has stopped working.
This is the remote ASA5505s making an IPSEC connection-a network head 5520. I can ride preceding and following 2 and 11 9.1 9.1 (6) and while the configuration does not change, the VPN starts working on 9.1 2
Vpn connects, but there is no packets sent or received...
I get this packet tracer...
Output of the command: "packet - trace entry tcp teeessyou 192.168.190.2 5000 192.168.195.1 detail 80.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
Direct flow from returns search rule:
ID = 0xae1308e8, priority = 1, domain = allowed, deny = false
hits = 622, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
input_ifc = teeessyou, output_ifc = any
Phase: 2
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.195.1/80 to 192.168.195.1/80
Phase: 3
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:
Access-group teeessyou_access_in in the teeessyou interface
teeessyou_access_in of access allowed any ip an extended list
Additional information:
Direct flow from returns search rule:
ID = 0xae24d310, priority = 13, area = allowed, deny = false
hits = 622, user_data is 0xab6b23c0, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = any
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
Additional information:
Definition of static 192.168.190.2/5000 to 192.168.190.2/5000
Direct flow from returns search rule:
ID = 0xae1ea5a8, priority = 6, area = nat, deny = false
hits = 622, user_data is 0xae1e9c58, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = external
Phase: 5
Type: NAT
Subtype: volatile
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xa9678858, priority = 1, domain = nat-volatile, deny = true
hits = 105, user_data = 0 x 0, cs_id = 0 x 0, reverse, use_real_addr, flags = 0 x 0, Protocol = 6
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = none, output_ifc = any
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xae136910, priority = 0, sector = inspect-ip-options, deny = true
hits = 622, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = any
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:
Direct flow from returns search rule:
ID = 0xaeec4328, priority = 70, domain = encrypt, deny = false
hits = 65, user_data is 0xb7dc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=192.168.195.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = none, output_ifc = external
Phase: 8
Type: NAT
Subtype: rpf check
Result: ALLOW
Config:
NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
Additional information:
Direct flow from returns search rule:
ID = 0xae1eae48, priority = 6, area = nat-reversed, deny = false
hits = 129, user_data is 0xae1e9d10, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = teeessyou, output_ifc = external
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DECLINE
Config:
Additional information:
Reverse flow from returns search rule:
ID = 0xaea9f6b0, priority = 69 = ipsec-tunnel-flow area, deny = false
hits = 129, user_data = 0 x 0, cs_id = 0xaea999c0, reverse, flags = 0 x 0 = 0 protocol
IP/ID=192.168.192.0 SRC, mask = 255.255.224.0, port = 0, = 0 tag
IP/ID=192.168.190.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = out, output_ifc = any
Hello Spencerallsop,
I recommend to add the keyword "no-proxy-arp" the end of the NAT statement, so the ASA try to answer queries ARP for the traffic(VPN interesting traffic), also this last phase 9 usually shows ignored due to a filter VPN defined in sometimes group policy, make sure you have not a filter VPN in a group policy that affect this tunnel then you will need to do the following:
1. remove the NAT statement:
-no nat (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
2 fix the NAT statement with the keyword "No.-proxy-arp" :
-nat (teeessyou, outside) static source any any destination static teeessyou_ENCODERS teeessyou_ENCODERS non-proxy-arp
3 disable the VPN ISA SA:
-claire crypto ikev1 his
4. run the packet tracer to check that the L2L has developed, To be honest I wouldn't recommend move you to 9.1.7 since it has some problems with the ARP entries, and it affects AnyConnect SSL somehow, which is still under investigation. In fact, this bug affects 9.1.7 (may affect your environment): - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy28710 Please don't forget to rate and score as of this post, keep me posted! Kind regards David Castro,
Tags: Cisco Security
Similar Questions
-
Create the Ipsec tunnel using digital certificates
Hello
I try to open the IPSEC tunnel between 2 3800 of Cisco routers using additional 3800 router as a CA server.
Before that I added the CA server all go smoothly.
Attached is my configuration, attached debug commands from the configuration of server and router CA
It seems that the routers does not receive the certificate of the CA (R3) router because I see the certificate is awaiting status:
#
R3 #.
R3 #show cryptographic pki certificate cisco talkative
CA
Status: available
Version: 3
Certificate serial number (hex): 01
Use of certificates: Signature
Issuer:
CN = cisco1. Cisco.com L\ = RTP it\ = US
Object:
CN = cisco1. Cisco.com L\ = RTP it\ = US
Validity date:
start date: 10:12:13 UTC Sep 8 2013
end date: 10:12:13 UTC Sep 7 2016
Subject key information:
Public key algorithm: rsaEncryption
RSA Public Key: (512 bits)
Signature algorithm: MD5 with RSA encryption
Fingerprint MD5: FAB9FFF7 87B580F3 7A65627E 56A378C9
Fingerprint SHA1: F26CD817 91F8129D A9E46671 07E26F1E 55422DCD
X509v3 extensions:
X509v3 Key use: 86000000
Digital signature
Key Cert sign
Signature of the CRL
X509v3 subject Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
X509v3 Basic Constraints:
CA: TRUE
X509v3 Authority Key ID: 56F091F7 7016A63F B 89, 46900 B13E6719 8B0D548E
Access to information the authority:
Related Trustpoints: cisco
Storage: nvram:cisco1ciscoc #4CA.cerR3 #.
Appreciate your support and I will send additional if necessary evidence
TX
Roee
I didn't look at your configuration, but accroding to your description, it seems that you have not approved the certificate requests pending on your router CA. Here are the commands that you need:
To view the pending requests:
information cryptographic pki server router 'CA '.
To grant requests pending:
Info Server 'CA' router cryptographic pki grant all
-
Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel? If not why? If so, how?
Your explanation is much appreciated.
Hi Deepak,
In such a situation, you usually NAT traffic that goes to the internet, but exempt traffic that goes through the VPN, because it will be wrapped in packages with public IP (tunnel) addresses. You can use the same IP address on your interface in the face of internet for the NAT/PAT and source of IPSEC Tunnel.
-
Help: Adding to the IPsec Tunnel encryption field Questions
Good evening everyone,
I'm looking for help and/or advise in what concerns adding more networking in the field of encryption of an existing IPsec site-to-site tunnel. Both sides of the tunnel are of ASA. The client on the remote end is eager to access the networks more on my end. They have already updated their ACL crypto map to include the new networks. When they perform "show crypto IPsec his counterpart x.x.x.x" it shows already encap packets attempting to join my network.
On my side, I updated my ACL crypto map to reference the new 2 networks, created the double NAT and added the ACL needed to allow the inbound access through ports they want. When I perform a 'see the crypto IPsec his counterpart x.x.x.x' output is NOT up-to-date with the new networks added to the field of encryption. When I run a tracer of package of supply of one of the servers in the new network, the traffic is translated as he should, but a fall when it hits the outgoing interface for the VPN tunnel.
Am I missing something here? Can I bounce the tunnel so that the new networks must be recognized in the surveillance society?
Thanks in advance.
Hello
You must bounce the tunnel when you change the interesting traffic, otherwise the new SA will not be created, is a little funny that you say that SA is already build on the remote side, SA cannot be established only on one side, is like building a new tunnel, if you don't have it on one side, it can not simply prevail and create the entry of SA. In addition, adding new networks and bounce the tunnel you need to generate traffic to trigger the ITS new or you will never see that it created. Check your no nats and routing and it should work.
Best regards, please rate.
-
Outgoing PAT to the IPSec Tunnel
Hello
Situation is with range of IP private tunnel of 3rd party who already uses the same private beach, but not with any of the hosts that we need to connect to. All traffic from the office to the 3rd party must be secure.
We want to configure an IPSec tunnel between the two sites (easy) and then use PAT on the PIX Office (6.3 (5)) to make all traffic office appear to be a single private address different.
We tried to do with PDM, but it insists on having no NAT (with an exclusionary rule), or static NAT, but does not seem to allow Pat.
I have attached a copy sanitized the office configuration. Any standard room in PIX have been removed for brevity
I would like constructive guidance on where I'm wrong.
See you soon
Hello
The PIX / ASA will make the NAT translation on the steps below. First, it will check if no no (order No. - nat) nat is configured, then it will check the static nat translation and finally, it will check the translation PAT.
In your configuration, there is a NAT (0) command indicating not to translate any IP of 192.168.0.0 to the remote ip address range, then the PIX won't do the translation and the package is passed to the destination.
Remove the NAT (0) command and edit list access outside_cryptomap_10 with the ip dried up to the remote ip address for this access list is responsible for interesting traffic that needs to be encrypted.
pls control and dream of return.
-
I can weight of the IPSec Tunnels between ASAs
Hello
Remote site: link internet NYC 150 MB/s
Local site: link internet Baltimore 400 MB/s
Backup site: link internet Washington 200 Mb/s
My main site and my backup site are connected via a gigabit Ethernet circuit between the respective base site switches. Each site has its own internet connection and my OSPF allows to switch their traffic to the backup site if the main website is down. We are opening an office in New York with one ASA unique connected to 150 Mbps FIOS internet circuit. We want to set up an IPSec tunnel on the main site and the backup on the remote site, but want the remote site to prefer the tunnel in Baltimore, except if it is down.
Interesting traffic would be the same for the two tunnels
I know that ASA cannot be a GRE endpoint. How can I force the New York traffic through the tunnel in Baltimore as long as it works? An IPSec tunnel can be weighted?
Thank you
It is not in itself weighting, but you can create up to 10 backup over LAN to LAN VPN IPsec peers.
For each tunnel, the security apparatus tried to negotiate with the first peer in the list. If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list.
-
How to determine the cause of the ipsec tunnel fall on ASA 5510
Is there an easy way to determine the cause of tunnel VPN ipsec l2l fall on one asa 5510? I have enabled logging, but the buffer is full so fast, I can't find something when it is 24 hours later. I'm working on obtaining a server/aggregator syslog configuration but... until it is complete I need a temporary measure. Suggestions?
Hi Jessica.
For the buffering limit, you can try:
Increase the maximum buffer size.
limit the newspapers to the class of vpn:
Buffered Debug class vpn connection.
On the other hand, you can try him debugs:
Debug crypto peer peer_address condition
debugging cry isa 128
debugging ipsec 128 cry
If you lose the ssh session debugging is disabled. Finally for the vpn tunnels usually it goes down due to:
Idle time-out
the dead peer detection
remove it from the other end.
HTH.
-
NAT in the IPSec tunnel between 2 routers x IOS (877)
Hi all
We have a customer with 2 x 877 routers connected to the internet. These routers are configured with an IPSec tunnel (which works fine). The question is the inbound static NAT translation problems with the tunnel - port 25 is mapped to the address inside the mail server. The existing configuration works very well for incoming mail, but prevents users from access to the direct mail server (using the private IP address) on port 25.
Here is the Config NAT:
nat INET_POOL
netmask 255.255.255.252 IP pool IP nat inside source map route INET_NAT pool INET_POOL overload
IP nat inside source static tcp 10.10.0.8 25
25 expandable IP nat inside source static tcp 10.10.0.8 80
80 extensible IP nat inside source static tcp 10.10.0.8 443
443 extensible IP nat inside source static tcp 10.10.0.7 1433 1433 extensible
IP nat inside source static tcp 10.10.0.7 extensible 3389 3389
allowed INET_NAT 1 route map
corresponds to the IP 101
access-list 101 deny ip 10.10.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.10.0.0 0.0.0.255 any
On the SAA, I would setup a NAT exemption, but how do I get the same thing in the IOS?
See you soon,.
Luke
Take a look at this link:
http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t4/feature/guide/ftnatrt.html
Concerning
Farrukh
-
force the IPSec tunnel to stay in place even if no traffic
Hello
We had exactly the same problem, as already described here;
https://supportforums.Cisco.com/discussion/11666661/can-we-automatically...
We actually run ASA 9.1 and the remote peer is a Fortigate. There is a new feature that has been introduced since the post on the forum above or fact creating an sla is the only way to follow IPsec tunnel.
Concerning
Nothing new was built in the SAA to take account of this requirement.
I also had good results a script running on an internal host to send a "tcp" ping to a remote host, thus making sure traffic interesting was often enough to maintain the tunnel.
-
packet loss on the ipsec tunnel
I currently have 2 routers (one at each site). The two are running 12.3 (9th). A router is a 2621 and the other is a 2611XM.
This is the relevant config:
Router
crypto ISAKMP policy 10
BA 3des
preshared authentication
isakmp encryption key * address x.x.x.98 No.-xauth
!
!
Crypto ipsec transform-set farm-jc-ts esp-3des esp-md5-hmac
!
farm-jc 10 ipsec-isakmp crypto map
the value of x.x.x.98 peer
the value of the transform-set farm-jc-ts
address acl_farm-jc-tunnel to match
!
!
interface FastEthernet0/0
DHCP IP address
NAT outside IP
automatic duplex
automatic speed
card crypto farm-jc
!
interface FastEthernet0/1
192.168.4.1 IP address 255.255.255.0
IP nat inside
automatic duplex
automatic speed
!
IP nat Stateful IDs 11
overload of IP nat inside source list acl_nat interface FastEthernet0/0
IP classless
IP route 0.0.0.0 0.0.0.0 FastEthernet0/0
Route IP 10.1.1.0 255.255.255.0 FastEthernet0/0
tunnel-jc-acl_farm extended IP access list
allow icmp 192.168.4.0 0.0.0.255 10.1.0.0 0.0.255.255
permit tcp 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255 eq www
permit tcp 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 443
permit tcp 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255 eq 22
acl_nat extended IP access list
refuse the 192.168.4.0 ip 0.0.0.255 10.1.1.0 0.0.0.255
ip licensing 192.168.4.0 0.0.0.255 any
Router b:
crypto ISAKMP policy 10
BA 3des
preshared authentication
isakmp encryption key * address x.x.x.199 No.-xauth
!
!
Crypto ipsec transform-set BC-farm-ts esp-3des esp-md5-hmac
!
JC-farm-10 ipsec-isakmp crypto map
the value of x.x.x.199 peer
the value of the transform-set BC-farm-ts
address acl_jc-farm-tunnel to match
!
!
!
!
interface FastEthernet0/0
10.1.1.5 IP address 255.255.255.0
IP nat inside
automatic duplex
automatic speed
!
interface FastEthernet0/1
IP address x.x.x.98 255.255.255.224
NAT outside IP
automatic speed
full-duplex
card crypto jc-farm
!
overload of IP nat inside source list acl_nat interface FastEthernet0/1
IP classless
IP route 0.0.0.0 0.0.0.0
IP route 10.1.0.0 255.255.0.0 FastEthernet0/0
IP route 192.168.4.0 255.255.255.0 FastEthernet0/1
!
tunnel-farm-acl_jc extended IP access list
allow icmp 10.1.0.0 0.0.255.255 192.168.4.0 0.0.0.255
permit tcp 10.1.1.0 0.0.0.255 192.168.4.0 0.0.0.255 eq www
permit tcp 10.1.1.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 443
permit tcp 10.1.1.0 0.0.0.255 192.168.4.0 0.0.0.255 eq 22
acl_nat extended IP access list
refuse the 10.1.1.0 ip 0.0.0.255 192.168.4.0 0.0.0.255
ip licensing 10.1.1.0 0.0.0.255 any
IP 10.1.2.0 allow 0.0.0.255 any
10.1.3.0 IP allow 0.0.0.255 any
IP 10.1.4.0 allow 0.0.0.255 any
IP 10.1.5.0 allow 0.0.0.255 any
I can ping in front of each private LAN to others, but its about 50% packet losses.
out of HS cry is that his watch QM_IDLE on both sides.
Hello
Try the following commands on the interfaces:
no ip route cache
no ip mroute-cache
no ip-cache cef route
no ip route-cache flow
And global:
no ip cef
Please rate if this helped.
Kind regards
Daniel
-
IPSec Tunnel permanent between two ASA
Hello
I configured a VPN IPSec tunnel between two ASA 5505 firewall. I want to assure you as the IPSec tunnel (this is why the security association) is permanent and do not drop due to the idle state.
What should I do?
Thanks for any help
Yves
Disables keepalive IKE processing, which is enabled by default.
(config) #tunnel - 10.165.205.222 group ipsec-attributes
KeepAlive (ipsec-tunnel-config) #isakmp disable
Set a maximum time for VPN connections with the command of vpn-session-timeout in group policy configuration mode or username configuration mode:
attributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - idle - timeout noattributes of hostname (config) #-Group Policy DfltGrpPolicy
hostname (Group Policy-config) #vpn - session - timeout noThank you
Ajay
-
Hi-
We have connected tunnel / VPN configuration between an ASA 5505 - worm = 8.4 (7) and 5512 - worm = 9.2 (3).
We can only ping in a sense - 5505 to the 5512, but not of vice-versa(5512 to 5505).Networks:
Local: 192.168.1.0 (answering machine)
Distance: 192.168.54.0 (initiator)See details below on our config:
SH run card cry
card crypto outside_map 2 match address outside_cryptomap_ibfw
card crypto outside_map 2 pfs set group5
outside_map 2 peer XX crypto card game. XX.XXX.XXX
card crypto outside_map 2 set transform-set ESP-AES-256-SHA ikev1
crypto map outside_map 2 set ikev2 AES256 ipsec-proposaloutside_map interface card crypto outside
Note:
Getting to hit numbers below on rules/ACL...SH-access list. I have 54.0
permit for access list 6 outside_access_out line scope ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 15931) 0x01aecbcc
permit for access list 1 outside_cryptomap_ibfw line extended ip object NETWORK_OBJ_192.168.1.0_24 object NETWORK_OBJ_192.168.54.0_24 (hitcnt = 3) 0xa75f0671
access-list 1 permit line outside_cryptomap_ibfw extended ip 192.168.1.0 255.255.255.0 192.168.54.0 255.255.255.0 (hitcnt = 3) 0xa75f0671SH run | I have access-group
Access-group outside_access_out outside interfaceNOTE:
WE have another working on the 5512 - VPN tunnel we use IKE peer #2 below (in BOLD)...HS cry his ikev1
IKEv1 SAs:
HIS active: 2
Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)
Total SA IKE: 21 peer IKE: XX. XX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVE
2 IKE peers: XXX.XXX.XXX.XXX
Type: L2L role: answering machine
Generate a new key: no State: MM_ACTIVESH run tunnel-group XX. XX.XXX.XXX
tunnel-group XX. XX.XXX.XXX type ipsec-l2l
tunnel-group XX. XX.XXX.XXX General-attributes
Group - default policy - GroupPolicy_XX.XXX.XXX.XXX
tunnel-group XX. XX.XXX.XXX ipsec-attributes
IKEv1 pre-shared-key *.
remote control-IKEv2 pre-shared-key authentication *.SH run | I have political ikev1
ikev1 160 crypto policy
preshared authentication
aes-256 encryption
Group 5
life 86400SH run | I Dynamics
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
NAT source auto after (indoor, outdoor) dynamic one interfaceNOTE:
To from 5512 at 5505-, we can ping a host on the remote network of ASA local# ping inside the 192.168.54.20
Type to abort escape sequence.
Send 5, echoes ICMP 100 bytes to 192.168.54.20, wait time is 2 seconds:
!!!!!
Success rate is 100 per cent (5/5), round-trip min/avg/max = 30/32/40 msDetermination of 192.168.1.79 - local host route to 192.168.54.20 - remote host - derivation tunnel?
The IPSEC tunnel check - seems OK?
SH crypto ipsec his
Interface: outside
Tag crypto map: outside_map, seq num: 2, local addr: XX.XXX.XXX.XXXoutside_cryptomap_ibfw to access ip 192.168.1.0 scope list allow 255.255.255.0 192.168.54.0 255.255.255.0
local ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.54.0/255.255.255.0/0/0)
current_peer: XX. XX.XXX.XXX#pkts program: 4609, #pkts encrypt: 4609, #pkts digest: 4609
#pkts decaps: 3851, #pkts decrypt: 3851, #pkts check: 3851
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 4609, model of #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid errors ICMP rcvd: 0, #Invalid ICMP errors received: 0
#send errors: 0, #recv errors: 0local crypto endpt. : XX.XXX.XXX.XXX/0, remote Start crypto. : XX. XX.XXX.XXX/0
Path mtu 1500, ipsec 74 (44) generals, media, mtu 1500
PMTU time remaining: 0, political of DF: copy / df
Validation of ICMP error: disabled, TFC packets: disabled
current outbound SPI: CDC99C9F
current inbound SPI: 06821CBBSAS of the esp on arrival:
SPI: 0x06821CBB (109190331)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3914789/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0xFFFFFFFF to 0xFFFFFFFF
outgoing esp sas:
SPI: 0xCDC99C9F (3452542111)
transform: aes-256-esp esp-sha-hmac no compression
running parameters = {L2L, Tunnel, group 5 PFS, IKEv1}
slot: 0, id_conn: 339968, crypto-card: outside_map
calendar of his: service life remaining (KB/s) key: (3913553/25743)
Size IV: 16 bytes
support for replay detection: Y
Anti-replay bitmap:
0x00000000 0x00000001--> The local ASA 5512 - where we have questions - tried Packet Tracer... seems we receive requests/responses...
SH cap CAP
34 packets captured
1: 16:41:08.120477 192.168.1.79 > 192.168.54.20: icmp: echo request
2: 16:41:08.278138 192.168.54.20 > 192.168.1.79: icmp: echo request
3: 16:41:08.278427 192.168.1.79 > 192.168.54.20: icmp: echo reply
4: 16:41:09.291992 192.168.54.20 > 192.168.1.79: icmp: echo request
5: 16:41:09.292282 192.168.1.79 > 192.168.54.20: icmp: echo reply--> On the ASA 5505 distance - we can ping through the 5512 to the local host (192.168.1.79)
SH cap A2
42 packets captured
1: 16:56:16.136559 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
2: 16:56:16.168860 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
3: 16:56:17.140434 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
4: 16:56:17.171652 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
5: 16:56:18.154426 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request
6: 16:56:18.186178 802. 1 q vlan P0 192.168.1.79 #1 > 192.168.54.20: icmp: echo reply
7: 16:56:19.168417 802. 1 q vlan P0 192.168.54.20 #1 > 192.168.1.79: icmp: echo request--> Package trace on 5512 does no problem... but we cannot ping from host to host?
entry Packet-trace within the icmp 192.168.1.79 8 0 detailed 192.168.54.20
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map default class
match any
Policy-map global_policy
class class by default
Decrement-ttl connection set
global service-policy global_policy
Additional information:
Direct flow from returns search rule:
ID = 0x7fffa2d0ba90, priority = 7, area = conn-set, deny = false
hits = 4417526, user_data = 0x7fffa2d09040, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = output_ifc = any to inside,Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
Additional information:
Definition of dynamic 192.168.1.79/0 to XX.XXX.XXX.XXX/43904
Direct flow from returns search rule:
ID = 0x7fffa222d130, priority = 6, area = nat, deny = false
hits = 4341877, user_data = 0x7fffa222b970, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
input_ifc = inside, outside = output_ifc...
Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 7422689 id, package sent to the next module
Information module for forward flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statInformation for reverse flow...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_statResult:
input interface: inside
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allow--> On remote ASA 5505 - Packet track is good and we can ping remote host very well... dunno why he "of Nations United-NAT?
Destination - initiator:
entry Packet-trace within the icmp 192.168.54.20 8 0 detailed 192.168.1.79
...
Phase: 4
Type: UN - NAT
Subtype: static
Result: ALLOW
Config:
NAT (inside, outside) static source NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.54.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 non-proxy-arp-search of route static destination
Additional information:
NAT divert on exit to the outside interface
Untranslate 192.168.1.79/0 to 192.168.1.79/0
...Summary:
We "don't" ping from a host (192,168.1.79) on 5512 - within the network of the 5505 - inside the network host (192.168.54.20).
But we can ping the 5505 - inside the network host (192.168.54.20) 5512 - inside the network host (192.168.1.79).Please let us know what other details we can provide to help solve, thanks for any help in advance.
-SP
Well, I think it is a NAT ordering the issue.
Basically as static and this NAT rule-
NAT interface dynamic obj - 0.0.0.0 source (indoor, outdoor)
are both in article 1 and in this article, it is done on the order of the rules so it does match the dynamic NAT rule rather than static because that seems to be higher in the order.
To check just run a 'sh nat"and this will show you what order everthing is in.
The ASA is working its way through the sections.
You also have this-
NAT source auto after (indoor, outdoor) dynamic one interface
which does the same thing as first statement but is in section 3, it is never used.
If you do one of two things-
(1) configure the static NAT statement is above the dynamic NAT in section 1 that is to say. You can specify the command line
or
(2) remove the dynamic NAT of section 1 and then your ASA will use the entry in section 3.
There is a very good document on this site for NAT and it is recommended to use section 3 for your general purpose NAT dynamic due precisely these questions.
It is interesting on your ASA 5505 you duplicated your instructions of dynamic NAT again but this time with article 2 and the instructions in section 3 that is why your static NAT works because he's put in correspondence before all your dynamic rules.
The only thing I'm not sure of is you remove the dynamic NAT statement in article 1 and rely on the statement in section 3, if she tears the current connections (sorry can't remember).
Then you can simply try to rearrange so your static NAT is above it just to see if it works.
Just in case you want to see the document here is the link-
Jon
-
The GRE Tunnel descends?
So here's my setup:
Internal router (2821) > Cluster internal DMZ ASA > router DMZ (2821) > external DMZ Checkpoint Cluster > Branch Office router (877)
Internal Cluster ASA a configured PAT production internal then all the VLANS.
The router in the DMZ has an interior interface configured on the internal DMZ and an external interface configured on the external DMZ. The DMZ router has two interfaces configured loopback.
The external control point is configured with NAT for the incoming and outgoing traffic.
The branch is a DSL router with a static IP address.
The first requirement is to configure a GRE IPSec tunnel between the DMZ router and the branch office router.
The second condition is to configure a GRE IPSec tunnel between the internal router and the router in the DMZ.
The third requirement is to allow routing between the internal router and the branch through the router in the DMZ, because it is ultimately the connection between the head office and branch of live backup.
I configured a Contract by the IPSec Tunnel between the router in the DMZ and routers of Management Office successfully.
I can also set up a GRE Tunnel (without IPSec) between the internal router and the router in the DMZ.
However, whenever the GRE Tunnel establishes between internal and DMZ routers and a neighbouring forms EIGRP, EIGRP neighborhood between the router in the DMZ and the branch drops! See following the DMZ router log file:
1 = to branch tunnel
Tunnel of 100 = internal
002885:. 3 Mar 22:32:57.013: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, changed State to
002886:. 3 Mar 22:33:06.029: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 172.17.205.61 (Tunnel1) is on the rise: new adjacency
002889:. 3 Mar 22:33:58.434: % LINK-3-UPDOWN: Interface Tunnel100, changed State to
002890.: 3 Mar 22:33:58.438: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel100, changed State to
002891:. 3 Mar 22:34:15.370: % DUAL-5-NBRCHANGE: IPv4 EIGRP 1: neighbor 192.168.5.66 (Tunnel100) is on the rise: new adjacency
002892:. 22:34:30.551 3 Mar: % DUAL-5-NBRCHANGE: 1 IPv4 EIGRP: neighbour 172.17.205.61 (Tunnel1) is falling: expiry of hold time
002893:. 3 Mar 22:34:47.015: % LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel1, state change downstairsThe IPSec tunnel, for the branch remains in place throughout.
Can anyone help!?
The problem was that whenever the GRE Tunnel established between internal and DMZ routers and a forms of EIGRP neighbor branch was learning the next hop to the destination of tunnel from a different device.
This is how the branch was to learn the route to the tunnel destination:
Tunnel1 interface
Tandragee Sub Station router VPN Tunnel description
bandwidth 64
IP 172.17.205.62 255.255.255.252
no ip-cache cef route
delay of 20000
KeepAlive 10 3
source of tunnel Loopback1
tunnel destination 172.17.255.23
be-idz-vpn-01 #sh ip route 172.17.255.23
Routing for 172.17.255.23/32 entry
Through the 'static', the metric distance 1 0 known
Routing descriptor blocks:
* 172.17.252.129
Path metric is 0, number of shares of traffic 1
be-idz-vpn-01 #sh ip route 172.17.252.129
Routing for 172.17.252.128/25 entry
Known via 'connected', distance 0, metric 0 (connected, via the interface)
Routing descriptor blocks:
* directly connected by GigabitEthernet0/1
Path metric is 0, number of shares of traffic 1
be-idz-vpn-01 #.
This is how the next hop as learned GRE Tunnel between internal and DMZ routers
be-idz-vpn-01 #sh ip route 172.17.252.129
Routing for 172.17.252.128/27 entry
By the intermediary of "eigrp 1", the known distance 170, metric 40258816, type external
Redistribution via eigrp 1
Last updated on Tunnel100 192.168.5.66, ago 00:07:25
Routing descriptor blocks:
* 192.168.5.66, 192.168.5.66, there is, through Tunnel100 00:07:25
Path metric is 40258816, 1/number of shares of traffic is
Time total is 10110 microseconds, minimum bandwidth 64 Kbps
Reliability 255/255, MTU minimum 1476 bytes
Loading 1/255, 2 hops
We can see how the next hop to the destination of tunnel 172.17.255.23 changed from known via 'connected' via GigabitEthernet0/1 known via "eigrp 1" through Tunnel100.
This case causes the Tunnel 1 drops.
The reason for this behavior was because the road to reach the next hop was acquired with a longest match through tunnel interface so that he won the race to the routing table.
The solution we applied:
Created a list of distribution on the branch office router in order to remove this specific route Tunnel 100 updates.
Router eigrp 1
distribute-list 1
Network 10.10.10.0 0.0.0.3
network 172.17.203.56 0.0.0.3
network 172.17.203.60 0.0.0.3
network 172.17.205.60 0.0.0.3
network 172.19.98.18 0.0.0.0
network 192.168.5.64 0.0.0.3
passive-interface Loopback1
be-idz-vpn-01 #sh access-list 1
IP access list standard 1
10 deny 172.17.252.128, wildcard bits 0.0.0.127 (1 match)
20 permit (1230 matches)
be-idz-vpn-01 #.
Once this has been applied, we could have the GRE Tunnel established between internal and DMZ routers with the tunneld ACCORD between the branch and the router in the DMZ.
-
How to troubleshoot an IPSec tunnel GRE?
Hello
My topology includes two firewalls connected through the Internet "" (router) and behind each firewall, there is a router.
The routers I configured a GRE tunnel that is successful, then I configured an IPsec tunnel on the firewall.
I does not change the mode to transport mode in the transform-set configuration.
Everything works; If I connect a PC to the router, it can ping another PC on the other router. However if I change mode of transport mode that they cannot.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
Thank you.
I was wondering how can I ensure that the IPSec tunnel WILL really works? How can I fix it or package tracking?
To verify that the VPN tunnel works well, check the output of
ISAKMP crypto to show his
Crypto ipsec to show hisHere are the commands of debug
Debug condition crypto x.x.x.x, where x.x.x.x IP = peer peer
Debug crypto isakmp 200
Debug crypto ipsec 200You will see ACTIVE int the first output and program non-zero and decaps on the output of the latter.
For the GRE tunnel.
check the condition of the tunnel via "int ip see the brief.In addition, you can configure keepalive via the command:
Router # configure terminal
Router (config) #interface tunnel0
Router(Config-if) 5 4 #keepaliveand then run "debug keepalive tunnel" to see packets hello tunnel going and coming from the router.
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Hello
I have set up an ipsec tunnel between rv180 (site A) and asa5520 (site B) successful. The dhcp server to clients is on the B site. The dhcp clients request going through the tunnel, they leave the rv180 on the wan interface and arrive at site B with the wan-ipaddress from site A. The configured dhcp-relay on the website match the remote network (site B), configured in the on site A ipsec tunnel. Is there anyway that all traffic pass through the ipsec tunnel? We want it for security reasons.
Any help is greatly appreciated.
Ralf
Dear Ralf,
Thank you to reach small business support community.
Unfortunately the relay DHCP Relay not of DHCP request to the IPSec VPN tunnel. I hope that this answer to your question and do not hesitate to contact me if there is any additional help with what I can help you.
Kind regards
Jeffrey Rodriguez S... : | :. : | :.
Support Engineer Cisco client* Please rate the Post so other will know when an answer has been found.
Maybe you are looking for
-
iTunes download 12.4 does not
Hello... I just discovered the new version 12.4 of iTunes, but I can not download. He used to work before... When I click on the [Download] button as usual, I'm get transferred to another "Thank you" page and... nothing else! I tried to restart the b
-
Equium L40-156 - problem with the battery or the charger?
Hi all, I'm new here and have a question about my laptop. My laptop does not turn on when I play and hold the thread at the back of the laptop where it charges and I have to hold it in place while the laptop charge upwards and once I connected, is th
-
Heating of M6 - 1214tx HP Envy on the left side of the touchpad
I recently bought a laptop HP Envy M6-1214TX a day ago and who has known the laptop heats up on the left side of the touch pad. I tried updating the BIOS and first of all, it was good and then the same question. I don't think a new laptop need for cl
-
Vista and all applications of Toshiba on the recovery disk?
Hello everyone I have problem with recovery disk on my laptop.When I had formatted my HDD I lost my recovery and I can't return it.That is why I need order of Toshiba backup recovery, but I have a question about it. Could you please give me some info
-
Windows Update 80070490 error code
I was not able to install my updates of windows for 4 months. The error code is 80070490. Any advice?