Cisco ASA 5520 one-way site-to-site VPN traffic

May 16, 2008 08:41pm pdt

1. batry_boy 519,476
2. lrmoore 151,610
3. mkielar 83,900
4. MrHusy 79,695
5. Cyclops3590 61,700
6. Voltz-dk 43,445
7. grblades 39,900
8. PeteLong 32,900
9. from_exp 27,120
10. stuknhawaii 25,425
11. rsivanandan 23,680
12. 2PiFL 20,300
13. clearacid 18,875
14. RPPreacher 17,646
15. keith_al... 17,375

1. lrmoore 2,098,891
2. batry_boy 887,600
3. grblades 342,785
4. rsivanandan 326,309
5. calvinetter 254,590
6. nodisco 250,337
7. PeteLong 219,741
8. MrHusy 201,396
9. Cyclops3590 178,606
10. Voltz-dk 151,384
11. tim_holman 120,177
12. carribea... 108,132
13. keith_al... 101,419
14. mkielar 83,900
15. harbor235 80,710

05.09.2008 at 03:41PM PDT, ID: 23391010 | Points: 500

	[x] Attachment Details

Cisco ASA 5520 one-way site-to-site VPN traffic

Zones: Cisco PIX Firewall, Virtual Private Networking (VPN), IPSec Security Protocol

Hello,
After a few recent changes on the firewall, one of our Site-to-Site VPN connections is experiencing one-way traffic. The VPN connection actually connects two IP addresses on our side with a subnet on the other. Because of the two IP Addresses on our side, two IPSec tunnels are setup. One experiences full two-way traffic. The other only receives traffic. All traffic from our network destined for the second tunnel is dropped. I have done a sniff on the traffic and can see it coming in on our DMZ interface. I even setup the exact scenario for the packet tracer and it showed everything coming out ok.
I feel it important to mention that the firewall does see the VPN connection as up and running and there is no problem with the first IPSec tunnel. The problem is that the firewall is dropping packets that should go out on the second tunnel.

Result of the command: "sh crypto ipsec sa detail"

interface: Outside
Crypto map tag: Outside_map, seq num: 6, local addr: 100.2.84.146

access-list Outside_cryptomap_6 permit ip host 100.2.83.42 172.31.67.0 255.255.255.192
local ident (addr/mask/prot/port): (100.2.83.42/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.31.67.0/255.255.255.192/0/0)
current_peer: 200.115.231.131

#pkts encaps: 620, #pkts encrypt: 620, #pkts digest: 620
#pkts decaps: 343, #pkts decrypt: 343, #pkts verify: 343
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 620, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: 100.2.84.146, remote crypto endpt.: 200.115.231.131

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 53057DFB

inbound esp sas:
spi: 0x002FA852 (3123282)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2461696, crypto-map: Outside_map
sa timing: remaining key lifetime (sec): 24919
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x53057DFB (1392868859)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2461696, crypto-map: Outside_map
sa timing: remaining key lifetime (sec): 24919
IV size: 8 bytes
replay detection support: Y

Crypto map tag: Outside_map, seq num: 6, local addr: 100.2.84.146

access-list Outside_cryptomap_6 permit ip host 100.2.83.43 172.31.67.0 255.255.255.192
local ident (addr/mask/prot/port): (100.2.83.43/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.31.67.0/255.255.255.192/0/0)
current_peer: 200.115.231.131

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 506, #pkts decrypt: 506, #pkts verify: 506
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0

local crypto endpt.: 100.2.84.146, remote crypto endpt.: 200.115.231.131

path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 72EF738F

inbound esp sas:
spi: 0x9AD26245 (2597478981)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2461696, crypto-map: Outside_map
sa timing: remaining key lifetime (sec): 26285
IV size: 8 bytes
replay detection support: Y
outbound esp sas:
spi: 0x72EF738F (1928295311)
transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 2461696, crypto-map: Outside_map
sa timing: remaining key lifetime (sec): 26285
IV size: 8 bytes
replay detection support: Y

Result of the command: "sh crypto isakmp sa"

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 201.116.232.132
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE

Thanks for your help,
Danny

Start your free trial to view this solution

Question Stats

Zone: Security

Question Asked By: dbeutler

Question Asked On: 05.09.2008

Participating Experts: 2

Points: 500

Translate:

Loading Advertisement...

Microsoft

Internet Protocols
Applications

Development
OS

Hardware
Windows Security

Apple

Operating Systems
Hardware

Programming
Networking

Software

Internet

Search Engines
File Sharing
WebTrends / Stats
Spy / Ad Blockers

Web Browsers
New Net Users
Web Development
Chat / IM

Anti Spam
Web Servers
Anti-Virus
Email Clients

Gamers

Tips
Online / MMORPG
Puzzle
Emulators

Action / Adventure
Role Playing
Consoles
Game Programming

Strategy
Sports
Misc
Computer Games

Digital Living

Hardware
New Net Users
New Users

Software
Digital Music
Gaming World

Home Security
Apple
Networking Hardware

Virus & Spyware

Vulnerabilities
IDS
Encryption
Anti-Virus

Operating Systems Security
Software Firewalls
WebApplications
Cell Phones

Operating Systems
Internet
Hardware Firewalls

Hardware

Handhelds / PDAs
Displays / Monitors
Components
Networking Hardware

Peripherals
Laptops/Notebooks
Storage
Servers

Desktops
New Users
Misc
Apple

Software

System Utilities
Industry Specific
Network Management
Photos / Graphics
Page Layout
VMWare
Misc
Web Development

OS
CYGWIN
Voice Recognition
Message Queue
Quality Assurance
Security
Firewalls
MultiMedia Applications

Development
Database
Office / Productivity
Business Management
OS/2 Apps
Server Software
Internet / Email

ITPro

OS
Storage
Encryption
Operating Systems Security
Apple Hardware
Laptops & Notebooks
Servers
Networking Hardware
Peripherals

Devices
Displays / Monitors
WebTrends / Stats
Search Engines
Firewalls
WebApplications
IDS
Vulnerabilities
Email Clients

File Sharing
Spy / Ad Blockers
Web Browsers
Web Servers
Networking
Anti-Virus
Chat / IM
Anti Spam

Developer

Web Servers
Web Browsers
Game Programming
Dev Tools
Industry Specific
Office / Productivity

Database
CYGWIN
Web Development
Search Engines
File Sharing
WebTrends / Stats

Programming
Content Management
Application Servers
Protocols

Storage

Removable Backup Media
Storage Technology
Servers

Grid
Remote Access
Backup / Restore

Misc
Hard Drives

Miscellaneous
Security
Development
Linux
VMWare

MainFrame OS
Unix
Apple
OS / 2
AS / 400

BeOS
Microsoft
VMS / OpenVMS

Database

Oracle
Miscellaneous
MySQL
Software
Sybase
Contact Management
PostgreSQL
Data Manipulation
Clarion
InterSystems Cache

Siebel
MUMPS
OLAP
SQLBase
SAS
GIS & GPS
4GL
Berkeley DB
DB2
Informix

Interbase / Firebird
FoxPro
Reporting
LDAP
Filemaker Pro
MS SQL Server
dBase
MS Access

Security

Misc
Web Browsers
Software Firewalls
Operating Systems Security
File Sharing

Spy / Ad Blockers
Vulnerabilities
WebApplications
IDS
Anti-Virus

Encryption
Anti Spam
Email Clients
VPN
Chat / IM

Programming

Editors IDEs
Installation
Handhelds / PDAs
Multimedia Programming
System / Kernel

Algorithms
Game
Signal Processing
Project Management
Open Source

Database
Misc
Languages
Processor Platforms
Theory

Web Development

Scripting
Blogs
Web Servers
Software
Search Engines
Web Graphics
Images

Internet Marketing
Images and Photos
Components
Document Imaging
Web Languages/Standards
Illustration
WebApplications

Fonts
WebTrends / Stats
Authoring
Digital Camera Software
Miscellaneous

Networking

Protocols
Apple Networking
Network Management
Message Queue
Application Servers
Content Management
File Servers
Email Servers
Misc
Java Editors & IDEs

Wireless
Networking Hardware
Backup / Restore
System Utilities
ISPs & Hosting
Web Servers
Storage Technology
Removable Backup Media
Servers
Broadband

Grid
OS / 2
Novell Netware
Unix Networking
Windows Networking
Security
Telecommunications
Operating Systems
Linux Networking

Other

Community Advisor
Lounge
Community Support
New Net Users

Philosophy / Religion
Math / Science
Miscellaneous
URLs

Expert Lounge
Politics
Puzzles / Riddles

Community Support

Suggestions
New to EE
New Topics
Community Advisor

CleanUp
Announcements
General

Feedback
Input
EE Bugs

05.09.2008 at 04:08PM PDT, ID: 21536951

Rank: Sage

batry_boy:

Please post the sanitized config and I'll have a look...

05.09.2008 at 04:27PM PDT, ID: 21537046

dbeutler:

Here you go

cleanconfig.txt (12 KB) (File Type Details)

ASA Config

05.09.2008 at 05:21PM PDT, ID: 21537318

Rank: Sage

batry_boy:

You obfuscated the crypto map entries such that I don't know which one is associated with the peer 200.115.231.131 from your "sh cryp ip sa" output above. Which crypto map sequence number goes with the affected tunnel?

05.09.2008 at 05:25PM PDT, ID: 21537328

dbeutler:

05.09.2008 at 05:35PM PDT, ID: 21537346

Rank: Sage

batry_boy:

Why does your output show 200.115.231.131 as the remote peer, but the config shows 200.115.231.132 for seq #6?

05.09.2008 at 05:50PM PDT, ID: 21537390

dbeutler:

Oh, Sorry. Too much obfuscation. They are the same in the real config.

05.09.2008 at 06:14PM PDT, ID: 21537466

FaithShield:

Can you verify that traffic is actually hitting the DMZ interface on the ASA, by doing a capture?

One way traffic like this is usually one of two things, Nat issues or Routing issues. I looked at your nat, and it appears to be configured correctly, so that would leave routing issues, before it gets to the ASA.

05.09.2008 at 06:18PM PDT, ID: 21537474

dbeutler:

Because I have obfuscated the IP's for security reasons, I would like to email you the sniff's offline because they contain the real IP addresses. What is your email address?

05.09.2008 at 06:21PM PDT, ID: 21537480

Rank: Sage

batry_boy:

Assuming you were addressing me and not FaithShield, my e-mail is on my profile page.

Try mirroring your NAT exemption ACL with your crypto ACL:

access-list dmz-nonat extended permit ip object-group DM_INLINE_NETWORK_1 object-group mansina
no access-list dmz-nonat extended permit ip 100.2.83.0 255.255.255.0 any

Also, a couple of questions:

1. Is there a reason you disabled NAT-T on that tunnel?
2. Why do you have two transform sets applied to that crypto map that are defined identically? (ESP-3DES-MD5 and Verizon_IPSEC)

05.09.2008 at 06:36PM PDT, ID: 21537506

dbeutler:

The NAT exemption list is for all the other servers in the DMZ as well. If that were removed we would lose connectivity for all our other servers not going through the VPN tunnel.

1) The reason I disabled NAT-T is because it doesn't work with the far end VPN endpoint.
2) I honestly don't know.

05.09.2008 at 06:56PM PDT, ID: 21537539

FaithShield:

I don't need to see the Sniff's I'll take your word for it if you say that the traffic is hitting the interface.

05.09.2008 at 06:57PM PDT, ID: 21537540

dbeutler:

It is.

05.09.2008 at 07:05PM PDT, ID: 21537563

Rank: Sage

batry_boy:

OK, I see that now.

What type of VPN endpoint is this tunnel connecting to? Is it an Adtran Netvanta, by any chance?

I looked at the captures and saw how there was no traffic showing up on the outside interface capture, but I noticed that not only did the .43 traffic not show up, neither did the .42 traffic so this wasn't a good indication of what is happening. How did you construct the ACL you used for the DMZ interface capture? Did you do something like this?

access-list vpntraffic permit ip 172.31.67.0 255.255.255.192 host 100.2.83.43
access-list vpntraffic permit ip host 100.2.83.43 172.31.67.0 255.255.255.192
capture vpncap access-list vpntraffic interface DMZ

Then try to ping 100.2.83.43 from a remote host on the 172.31.67.0/26 subnet and see what the capture output looks like.

05.09.2008 at 07:29PM PDT, ID: 21537613

dbeutler:

The .42 traffic was showing up. It was just encapsulated in esp and had the other vpn endpoint as the destination IP.

05.14.2008 at 08:43AM PDT, ID: 21565411

dbeutler:

After talking with Cisco Support for over 4 hours, the bug was forwarded to their development team as a possible bug. Unfortunately, we did not have the luxury of taking the time to troubleshoot the issue with them. In the middle of the night, I was able to reset the Firewall and everything worked as intended.
(Moderator, please close the Question)

20080236-EE-VQP-29 / EE_QW_2_20070628