Cisco ASA - ping opens VPN tunnel but no IP traffic passe

I have noticed interesting bug on Cisco ASA equipment -, it happens only if we use Cisco ASA firewalls on both side of the VPN tunnel . So if I open tunnel with ping - no IP traffic passes, and if I opent it with IP traffic -then ICMP and IP passes through.
Has anybody noted such behaviour ?
MerdexAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:
Please show the configs!
did you set nonat statement?
0
MerdexAuthor Commented:
This is my standard config - I use it on both sides (of course I change peer and subnets in access lists). No nat is configured also ..

access-list inside_outbound_nat1 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

access-list crypto_kamb1 extended permit icmp 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list crypto_kamb1 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat1

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 TRANS_ESP_3DES_SHA
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA


crypto map outside_map 34 match address crypto_kamb1
crypto map outside_map 34 set pfs
crypto map outside_map 34 set peer 1.1.1.1
crypto map outside_map 34 set transform-set ESP-3DES-MD5

crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400


tunnel-group  1.1.1.1 type ipsec-l2l
tunnel-group  1.1.1.1 ipsec-attributes
 pre-shared-key *
0
Istvan KalmarHead of IT Security Division Commented:
whaere is the group policy?
0
Become an IT Security Management Expert

In today’s fast-paced, digitally transformed world of business, the need to protect network data and ensure cloud privacy has never been greater. With a B.S. in Network Operations and Security, you can get the credentials it takes to become an IT security management expert.

MerdexAuthor Commented:
think that this group policy only applies for remote access clients - but please check - that is all I have in the config.

threat-detection basic-threat
threat-detection statistics
group-policy DRXDRX internal
group-policy DRXDRX attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value DRXDRX_splitTunnelAcl
group-policy TG internal
group-policy TG attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified


policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
 split-tunnel-network-list value TG_splitTunnelAcl
0
Istvan KalmarHead of IT Security Division Commented:
please provide us:

sh cry isa sa
sh cry ips sa
sh vpn-sessiondb l2l
0
Istvan KalmarHead of IT Security Division Commented:
Please define group policy for L2l
0
MerdexAuthor Commented:
I have about 30 tunnels so maybe I didn't copy everything correctly ...
How do I define policy for L2L - do you have a example?


18  IKE Peer: 1.1.1.1
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE


Crypto map tag: outside_map, seq num: 19, local addr: 2.2.2.2

      access-list crypto_mega permit ip host 2.2.2.2.2 host 1.1.1.1.
      local ident (addr/mask/prot/port): (2.2.2.2 /255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (1.1.1.1./255.255.255.255/0/0)
      current_peer: 91.199.161.3

      #pkts encaps: 2987, #pkts encrypt: 2987, #pkts digest: 2987
      #pkts decaps: 3570, #pkts decrypt: 3570, #pkts verify: 3570
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2987, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 2.2.2.2., remote crypto endpt.: 1.1.1.1.

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 428A0C4A

    inbound esp sas:
      spi: 0xB8637B70 (3093527408)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 8798208, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (2984/1154)
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x428A0C4A (1116343370)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, }
         slot: 0, conn_id: 8798208, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (2984/1154)
         IV size: 8 bytes
         replay detection support: Y

    Crypto map tag: outside_map, seq num: 13, local addr: 2.2.2.2.





Session Type: LAN-to-LAN

Connection   : 1.1.1.1
Index        : 1518                   IP Addr      : 192.168.16.102
Protocol     : IKE IPsec
Encryption   : 3DES                   Hashing      : MD5
Bytes Tx     : 1221930834             Bytes Rx     : 2200190951
Login Time   : 09:10:48 UTC Fri Mar 19 2010
Duration     : 4d 2h:01m:07s



0
Istvan KalmarHead of IT Security Division Commented:
it seems it is working:


      #pkts encaps: 2987, #pkts encrypt: 2987, #pkts digest: 2987
      #pkts decaps: 3570, #pkts decrypt: 3570, #pkts verify: 3570
0
Istvan KalmarHead of IT Security Division Commented:
group-policy remotevpn internal
group-policy remotevpn attributes
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
tunnel-group  1.1.1.1 ipsec-attributes
 default-group-policy remotevpn
0
MerdexAuthor Commented:
Yes - it is working now because I started connection with IP traffic. This is a production enviroment so I cannot test right now.
What do I get with this group policy? - It seem that it works ok without it - do you think it will solve this issue?
0
Markus BraunCEOCommented:
i think you access-list inside_outbound_nat1
is missing the permit ICMP like you have it on your NAT0 access-l

you can do a "debug icmp trace"

and you will see what happens to your pings
0
Markus BraunCEOCommented:
basically add
access-list inside_outbound_nat1 extended permit icmp 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

to permit ICMP to pass the inside interface

or allow it period with "access-list inside_outbound_nat1 permit icmp any any" for testing purposes
and then limit it for the once you have to have e.g.

access-list inside_outbound_nat1 permit icmp any any echo
access-list inside_outbound_nat1 permit icmp any any echo-reply
access-list inside_outbound_nat1 permit icmp any any source-quench
access-list inside_outbound_nat1 permit icmp any any unreachable
access-list inside_outbound_nat1 permit icmp any any time-exceeded






0
MerdexAuthor Commented:
You maybe didn't understand my question - my ping works - always. It is just that when I start pinging, and VPN tunnel goes up, I cannot send any IP traffic through it - just ping (ICMP).

If I start my tunnel with IP traffic - everything is OK - ping work also....
0
Markus BraunCEOCommented:
Hi, ok i see
remove this access-list crypto_kamb1 extended permit icmp 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
but add this anyway
access-list inside_outbound_nat1 permit icmp any any echo
access-list inside_outbound_nat1 permit icmp any any echo-reply
access-list inside_outbound_nat1 permit icmp any any source-quench
access-list inside_outbound_nat1 permit icmp any any unreachable

if you permit IP in your NAT 0 access-list, ICMP is already allowed, all you need to do is allow it from the LAN side
access-list inside_outbound_nat1 permit icmp any any time-exceeded
0
Markus BraunCEOCommented:
Oops sorry, mixed something up cause of this

nat (inside) 0 access-list inside_outbound_nat1

since you named it nat1, it was confusing since the NAT0 statement means no nat and the NAT 1 means do nat.
so dont do this
access-list inside_outbound_nat1 permit icmp any any echo
access-list inside_outbound_nat1 permit icmp any any echo-reply
access-list inside_outbound_nat1 permit icmp any any source-quench
access-list inside_outbound_nat1 permit icmp any any unreachable
instead add it to your LANOUT access-list
if you explicitly permit ICMP in your crypto access-list, you also need to explicitly allow it in your NAT 0 access-list
or better just remove any ICMP access-list in your tunnel configuration since IP already includes ICMP
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Markus BraunCEOCommented:
so this

access-list inside_outbound_nat1 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list crypto_kamb1 extended permit icmp 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list crypto_kamb1 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

needs to match -meaning it should look like this

access-list inside_outbound_nat1 extended permit icmp 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list inside_outbound_nat1 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list crypto_kamb1 extended permit icmp 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list crypto_kamb1 extended permit ip 192.168.0.0 255.255.255.0 192.168.16.0 255.255.255.0

but i recommend you change "inside_outbound_nat1" that to something that is logical like NONAT or inside_outbound_nat0
0
MerdexAuthor Commented:
Thanks for assistance - it seems that i had one access-list to much - so the one for ICMP is not needed.
0
Markus BraunCEOCommented:
Thanks for your grade, was a pleasure to assist you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.