bildozer
asked on
ASA5505 site-to-site - tunnel up but no decap/decrypt either direction
I've got two ASAs, one with version 9.1(6)8 and the other running version 9.1(6)11
I'm test benching a site-to-site configuration, and have set up a router to simulate the wan:
[F1 outside 172.16.1.2] ------ [172.16.1.1 router 172.16.2.1] ------ [172.16.2.2 F2 outside]
The tunnel builds and transitions to MM_Active if I ping from either inside network, and I see pkts encaps increase as expected with each icmp packet on the firewall connected to the sending device. However, I never see the decrypt packets increase on the either firewall and packet captures on the client machines do not show any traffic whatsoever from the corresponding remote network.
#pkts encaps: 1204, #pkts encrypt: 1204, #pkts digest: 1204
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
F1 client machine: Windows 7 with firewall configured to allow all traffic to and from 10.0.1.0/24 and 10.0.2.0/24 and a route set:
Destination Netmask Gateway Interface Metric
10.0.2.0 255.255.255.0 10.0.1.1 10.0.1.10 21
F2 client: I'm using a Raspberry Pi without firewall implemented on F2 inside network (10.0.2.10):
10.0.1.0 10.0.2.1 255.255.255.0 UG 0 0 0 eth0
10.0.2.0 * 255.255.255.0 U 0 0 0 eth0
If I capture packets on the client machines I can see their gateways ping them, but pinging from the opposite firewall or the opposite client machines I get nothing.
Here's F1's config
Here's F2's config
Thanks in advance for any help. I've experience with IOS but have just started working with the ASAs, which seem to be a whole 'nother ballgame.
I'm test benching a site-to-site configuration, and have set up a router to simulate the wan:
[F1 outside 172.16.1.2] ------ [172.16.1.1 router 172.16.2.1] ------ [172.16.2.2 F2 outside]
The tunnel builds and transitions to MM_Active if I ping from either inside network, and I see pkts encaps increase as expected with each icmp packet on the firewall connected to the sending device. However, I never see the decrypt packets increase on the either firewall and packet captures on the client machines do not show any traffic whatsoever from the corresponding remote network.
#pkts encaps: 1204, #pkts encrypt: 1204, #pkts digest: 1204
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
F1 client machine: Windows 7 with firewall configured to allow all traffic to and from 10.0.1.0/24 and 10.0.2.0/24 and a route set:
Destination Netmask Gateway Interface Metric
10.0.2.0 255.255.255.0 10.0.1.1 10.0.1.10 21
F2 client: I'm using a Raspberry Pi without firewall implemented on F2 inside network (10.0.2.10):
10.0.1.0 10.0.2.1 255.255.255.0 UG 0 0 0 eth0
10.0.2.0 * 255.255.255.0 U 0 0 0 eth0
If I capture packets on the client machines I can see their gateways ping them, but pinging from the opposite firewall or the opposite client machines I get nothing.
Here's F1's config
ASA Version 9.1(6)8
!
hostname F1
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
ip address 172.16.1.2 255.255.255.252
!
interface Vlan2
nameif inside
security-level 100
ip address 10.0.1.1 255.255.255.0
!
boot system disk0:/asa916-8-k8.bin
ftp mode passive
access-list LAN_Traffic extended permit ip 10.0.1.0 255.255.255.0 10.0.2.0 255.255.255.0
pager lines 24
logging enable
logging console warnings
logging monitor debugging
logging buffered debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 0.0.0.0 0.0.0.0 172.16.1.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-reco<wbr ></wbr>rd DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set pfs
crypto map L2L 1 set peer 172.16.2.2
crypto map L2L 1 set ikev1 transform-set L2L
crypto map L2L interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.2.2 type ipsec-l2l
tunnel-group 172.16.2.2 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic<wbr ></wbr>
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/it<wbr ></wbr>s/service/<wbr ></wbr>oddce/serv<wbr ></wbr>ices/DDCES<wbr ></wbr>ervice
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic dailyHere's F2's config
ASA Version 9.1(6)11
!
hostname F2
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
!
interface Ethernet0/0
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
switchport access vlan 2
!
interface Vlan1
nameif outside
security-level 0
ip address 172.16.2.2 255.255.255.252
!
interface Vlan2
nameif inside
security-level 100
ip address 10.0.2.1 255.255.255.0
!
boot system disk0:/asa916-11-k8.bin
ftp mode passive
access-list LAN_Traffic extended permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
route outside 0.0.0.0 0.0.0.0 172.16.2.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set L2L esp-aes-256 esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map L2L 1 match address LAN_Traffic
crypto map L2L 1 set pfs
crypto map L2L 1 set peer 172.16.1.2
crypto map L2L 1 set ikev1 transform-set L2L
crypto map L2L interface outside
crypto ca trustpool policy
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 172.16.1.2 type ipsec-l2l
tunnel-group 172.16.1.2 ipsec-attributes
ikev1 pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic dailyThanks in advance for any help. I've experience with IOS but have just started working with the ASAs, which seem to be a whole 'nother ballgame.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
TL;DR - Meraki WAN simulation didn't work. Used an old wireless router instead and voila. Thanks for taking the time to offer some insight. I definitely learned a lot from parsing the debug information and configurations.
I was using a Meraki MX64 to route between the 172.16.1.X and 172.16.2.X, which worked for the most part. While troubleshooting, I noticed that while I saw the ESP traffic in the Meraki packet capture in both directions, the hit counters for the permit any rules did not increase (I had a permit any in both directions and tried playing with using less specific ip/masks and more specific: using /32 and the complete outside IP adddress) . However, pinging from each ASA outside interface to the next did increase the hit counter.
I tried disabling firewall inspection in each VLAN's group policy but still no decaps. I had no NAT set up for these VLANs, and they weren't going outside so there shouldn't have been any by default as far as I understand.
Meraki support worked with me on the counter issue and finally told me that their permit any is actually a permit ICMP, TCP, UDP (the other options in the drop down). I assumed it was like cisco permit IP any. The hit counters were not counting IP protocol 50, and the MX64 was also not allowing it, even with firewall inspection disabled for each VLAN.
Finally I pulled out an old TP-Link wireless router with DD-WRT and configured the WAN and LAN interfaces to route between the ASAs, with the firewall disabled.
Immediately the pings to Ubuntu showed in tcpdump, and the replies show were received on the Windows 7 machine.
I was using a Meraki MX64 to route between the 172.16.1.X and 172.16.2.X, which worked for the most part. While troubleshooting, I noticed that while I saw the ESP traffic in the Meraki packet capture in both directions, the hit counters for the permit any rules did not increase (I had a permit any in both directions and tried playing with using less specific ip/masks and more specific: using /32 and the complete outside IP adddress) . However, pinging from each ASA outside interface to the next did increase the hit counter.
I tried disabling firewall inspection in each VLAN's group policy but still no decaps. I had no NAT set up for these VLANs, and they weren't going outside so there shouldn't have been any by default as far as I understand.
Meraki support worked with me on the counter issue and finally told me that their permit any is actually a permit ICMP, TCP, UDP (the other options in the drop down). I assumed it was like cisco permit IP any. The hit counters were not counting IP protocol 50, and the MX64 was also not allowing it, even with firewall inspection disabled for each VLAN.
Finally I pulled out an old TP-Link wireless router with DD-WRT and configured the WAN and LAN interfaces to route between the ASAs, with the firewall disabled.
Immediately the pings to Ubuntu showed in tcpdump, and the replies show were received on the Windows 7 machine.
ASKER
Yeah, it seems VLAN 1 is default and doesn't show in the configuration unless it's changed to 2 or higher. I tested this a couple of times as it caught me off guard
Yeah I haven't set up any NAT yet. Wanted to get this going on a clean set of ASAs, and then replicate my production setup and create the site to site again in case I break something.
I will do this soon... It would definitely help readability
I've included the logs. Thanks a bunch
I've added that command to both ASAs but haven't seen an change.
It looks like the tunnel establishes without any problems (as far as my limited knowledge can tell).
I went ahead and pinged from the host connected to F1 via 10.0.1.10 to the opposite host at 10.0.2.10 (now Ubuntu so I can run ASDM - my Pi tried, at least). The tunnel established, I canceled the ping and then gave the clear ipsec sa peer command to shut down the tunnel (I entered this at F2).
I set up logging to the console (beforehand) and logged the Putty data because I don't know how to save the output in the ASDM log.
Here's F1's debug log
Open in new window
Here's F2's debug log
Open in new window