ITTechnology
asked on
Cisco VPN Client Not Passing Traffic
Have a problem with a Cisco VPN client that cannot pass traffic. The client can login and initiate the conversation fine but the vpn client is not receiving back any packets.
When I do a "packet-tracer input inside icmp {vpnclient ip address} 8 0 {valid server ip}"
I get the following:
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in DCA-DR 255.255.255.128 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
But for the life of me I can't find anything in the configuration that would cause the packet to get dropped.
Here is the relevant parts of the current config:
name 192.168.155.0 DCA-LAN
name 192.168.156.0 DCA-DR
name 192.168.157.128 DCA-VPN
object-group network DCA-LAN
network-object DCA-LAN 255.255.255.0
object-group network DCA-DR-LAN
network-object DCA-DR 255.255.255.128
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip object-group DCA-LAN object-group DCA-DR-LAN
access-list outside_access_in extended permit ip DCA-VPN 255.255.255.192 object-group DCA-DR-LAN
access-list NONAT extended permit ip object-group DCA-DR-LAN object-group DCA-LAN
access-list NONAT extended permit ip object-group DCA-DR-LAN DCA-VPN 255.255.255.192
access-list DCA-CVPN_splitTunnelAcl extended permit ip object-group DCA-DR-LAN DCA-VPN 255.255.255.192
access-list outside_cryptomap_dyn_10 extended permit ip any DCA-VPN 255.255.255.192
access-list DR-VPN extended permit ip object-group DCA-DR-LAN object-group DCA-LAN
ip local pool DCA-VPN-POOL 192.168.157.129-192.168.15 7.190 mask 255.255.255.192
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
group-policy DCA-CVPN internal
group-policy DCA-CVPN attributes
wins-server value x.x.x.x
dns-server value x.x.x.x
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DCA-CVPN_splitTunnelAcl
default-domain value domain.name
username support password randomstring encrypted
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map SITELINKS 20 match address DR-VPN
crypto map SITELINKS 20 set peer z.z.z.z
crypto map SITELINKS 20 set transform-set ESP-3DES-SHA
crypto map SITELINKS 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map SITELINKS interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86500
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DCA-CVPN type ipsec-ra
tunnel-group DCA-CVPN general-attributes
address-pool DCA-VPN-POOL
default-group-policy DCA-CVPN
tunnel-group DCA-CVPN ipsec-attributes
pre-shared-key *
tunnel-group z.z.z.z type ipsec-l2l
tunnel-group z.z.z.z ipsec-attributes
pre-shared-key *
I know it is something stupid that I missed so can someone else point it out to me so I can feel like a boob and move on :-)
When I do a "packet-tracer input inside icmp {vpnclient ip address} 8 0 {valid server ip}"
I get the following:
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in DCA-DR 255.255.255.128 inside
Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
But for the life of me I can't find anything in the configuration that would cause the packet to get dropped.
Here is the relevant parts of the current config:
name 192.168.155.0 DCA-LAN
name 192.168.156.0 DCA-DR
name 192.168.157.128 DCA-VPN
object-group network DCA-LAN
network-object DCA-LAN 255.255.255.0
object-group network DCA-DR-LAN
network-object DCA-DR 255.255.255.128
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit ip object-group DCA-LAN object-group DCA-DR-LAN
access-list outside_access_in extended permit ip DCA-VPN 255.255.255.192 object-group DCA-DR-LAN
access-list NONAT extended permit ip object-group DCA-DR-LAN object-group DCA-LAN
access-list NONAT extended permit ip object-group DCA-DR-LAN DCA-VPN 255.255.255.192
access-list DCA-CVPN_splitTunnelAcl extended permit ip object-group DCA-DR-LAN DCA-VPN 255.255.255.192
access-list outside_cryptomap_dyn_10 extended permit ip any DCA-VPN 255.255.255.192
access-list DR-VPN extended permit ip object-group DCA-DR-LAN object-group DCA-LAN
ip local pool DCA-VPN-POOL 192.168.157.129-192.168.15
nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
group-policy DCA-CVPN internal
group-policy DCA-CVPN attributes
wins-server value x.x.x.x
dns-server value x.x.x.x
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DCA-CVPN_splitTunnelAcl
default-domain value domain.name
username support password randomstring encrypted
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map SITELINKS 20 match address DR-VPN
crypto map SITELINKS 20 set peer z.z.z.z
crypto map SITELINKS 20 set transform-set ESP-3DES-SHA
crypto map SITELINKS 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map SITELINKS interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86500
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
tunnel-group DCA-CVPN type ipsec-ra
tunnel-group DCA-CVPN general-attributes
address-pool DCA-VPN-POOL
default-group-policy DCA-CVPN
tunnel-group DCA-CVPN ipsec-attributes
pre-shared-key *
tunnel-group z.z.z.z type ipsec-l2l
tunnel-group z.z.z.z ipsec-attributes
pre-shared-key *
I know it is something stupid that I missed so can someone else point it out to me so I can feel like a boob and move on :-)
ASKER
Our normal configs don't bypass ACL's for VPN tunnels - we explicitly state what networks they can talk to so we can control what vpn users have access to -
This should be line allowing inbound comm
access-list outside_access_in extended permit ip DCA-VPN 255.255.255.192 object-group DCA-DR-LAN
And outbound control is only limited by the NONAT policy which is exluding vpn traffic
access-list NONAT extended permit ip object-group DCA-DR-LAN DCA-VPN 255.255.255.192
Interestingly enough however even with a sysopt connection permit-ipsec traffic still isn't flowing so it's almost like the issue is in the CVPN configuration...
This should be line allowing inbound comm
access-list outside_access_in extended permit ip DCA-VPN 255.255.255.192 object-group DCA-DR-LAN
And outbound control is only limited by the NONAT policy which is exluding vpn traffic
access-list NONAT extended permit ip object-group DCA-DR-LAN DCA-VPN 255.255.255.192
Interestingly enough however even with a sysopt connection permit-ipsec traffic still isn't flowing so it's almost like the issue is in the CVPN configuration...
By your packet tracer output it sure looks like an ACL thing... Can you test vpn attempts, track which ACL lines specifically are getting hits, then check the source and destination config on that acl entry?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
sysopt connection permit-ipsec