Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco EasyVPN: can't get a vlan added

Posted on 2016-10-05
32
Medium Priority
?
44 Views
Last Modified: 2016-10-28
This has to be something easy I'm missing. I have a main site with a Cisco ASA 5520 and a remote site with a Cisco ASA 5506. I already have an ezvpn site to site set up with several vlans added. I just tried to add another one and can't get pings to go over the tunnel. My configs are below:

MAIN SITE ASA

       object-group network Internal_Networks
     network-object 12.1.80.0 255.255.255.0
        network-object 12.1.70.0 255.255.255.0
        network-object 12.1.60.0 255.255.255.0

       object network remote_network_1
        subnet 12.4.1.0 255.255.255.0


       access-list ezvpn_split extended permit ip object-group Internal_Networks object remote_network_1

group-policy ezvpnpolicy internal
       group-policy ezvpnpolicy attributes
        split-tunnel-policy tunnelspecified
        split-tunnel-network-list value ezvpn_split
        nem enable

username <remote site 1> password <removed>
====================

REMOTE SITE 1 ASA


vpnclient server <ezvpn server IP>
vpnclient mode network-extension-mode
vpnclient nem-st-autoconnect
vpnclient vpngroup <ezvpn group name> password *****
vpnclient username <remote site 1 ezvpn name> password *****
vpnclient enable


PROBLEM: I have the 12.1.80.0 and the 12.1.70.0 subnets pinging to the remote subnet 12.4.1.0 just fine. I added the 12.1.60.0 subnet and can't get it pinging with the 12.4.1.0. What am I missing?
0
Comment
Question by:travisryan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 17
  • 14
32 Comments
 
LVL 17

Expert Comment

by:max_the_king
ID: 41830015
Hi,
you may have forgotten to exempt NAT as you probably did with former subnets.

Something like:

nat (inside,outside) source static obj-local obj-local destination static obj-remote obj-remote

please do a check on that

hope this helps
max
0
 

Author Comment

by:travisryan
ID: 41830110
Max, below is my nat entry on the Main ASA:

nat (inside,outside) source static Internal_Networks Internal_Networks destination static remote_network_1 remote_network_1 no-proxy-arp route-lookup

Open in new window

0
 

Author Comment

by:travisryan
ID: 41830120
I was trying to use packet tracer on this one, but all of my tests come up allowed. I'm currently research how to set up packet captures to help troubleshoot.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 
LVL 17

Expert Comment

by:max_the_king
ID: 41830148
Hi,
since you have added an item (the new subnet) into the object which was already natted, you should have previously remove that nat statement, then add the new subnet into the object and then reissue the nat statement: did you do that.
This is why I usually do not use summarized objects on nat statements.

It might be worth a try

hope this helps
max
0
 

Author Comment

by:travisryan
ID: 41830430
Max, I cleared the nat statements and re-added them, no dice. Then I removed the subnet from the Internal_Networks group and made it it's own group, put that in it's own nat statement then applied that, still didn't work.

Any other suggestions?
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 41830501
check access-lists
max
0
 

Author Comment

by:travisryan
ID: 41830508
Max, I posted all relevant access lists. No other ACL references the 12.4.1.0 network. Do you use packet tracer or packet capture to troubleshoot issues like this?
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 41830570
you can use packet tracer from asdm
max
0
 

Author Comment

by:travisryan
ID: 41830595
Max, do you have any experience with it? I'm getting no results.
0
 

Author Comment

by:travisryan
ID: 41830598
Capture buffer showing empty.
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 41830616
depends on which asdm version you have.
You Can as well use asdm monitoring and set a filter with the subnet or IP you are testing.
max
0
 

Author Comment

by:travisryan
ID: 41830629
I'm really looking for more of a packet tracer type tool to see where the packets stop at, can packet capture help me do this? I need to know what I'm missing.
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 41830637
in asdm packet tracer you need To set source ip and port and destination ip and port.
as easy as that. It will show you the flow.
max
0
 

Author Comment

by:travisryan
ID: 41830641
I tried that for this connection and it shows allowed. From what little I've found about packet tracer and VPNs it looks like it doesn't work for some reason.
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 41830659
allowed really means allowed
0
 

Author Comment

by:travisryan
ID: 41830745
Remote Site 1 Firewall
packet-tracer input inside icmp 12.4.1.11 8 0 12.1.60.14
Result: Allow
When I try to ping from the device with the IP address 12.4.1.11 to 12.1.60.14 the ping fails

Main Firewall
packet-tracer input inside icmp 12.1.60.14 8 0 12.4.1.11
Result: Allow
When I try to ping from the device with the IP address 12.1.60.14 to 12.4.1.11 the ping fails

I've tried 8 0 codes and 0 0 codes, both say allow yet I can't ping between the two addresses.
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 41830850
check the other firewall
0
 

Author Comment

by:travisryan
ID: 41830868
For what?
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 41830873
you already did  ... Just realized
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 41831472
Hi,
just in case the ASA for any reason doesn't match with crypto map, I would try the following:

no access-list ezvpn_split extended permit ip object-group Internal_Networks object remote_network_1

access-list ezvpn_split extended permit ip 12.1.80.0 255.255.255.0 12.4.1.0 255.255.255.0
access-list ezvpn_split extended permit ip 12.1.70.0 255.255.255.0 12.4.1.0 255.255.255.0
access-list ezvpn_split extended permit ip 12.1.60.0 255.255.255.0 12.4.1.0 255.255.255.0


and then you'd better recreate the
 split-tunnel-network-list value ezvpn_split

or at least check that it did not disappear after deleting that access-list in the previous step.

let me know, if no joy, set the debug on asa while pinging:

debug crypto ikev1
debug crypto ikev2
debug crypto ipsec

max
0
 

Author Comment

by:travisryan
ID: 41832194
Max, how would I check if the crypto map isn't matching? That split tunnel list is for more than one easy vpn and I'd like to bounce these as little as possible since we have some users at these locations actively using the connection.
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 41832222
yep, this is just a try ...

you may alternatively set debug on ASA and read messages: it would tell you if it doesn't match with crypto map
0
 

Author Comment

by:travisryan
ID: 41832284
Max, sent pings both ways, tried debug crypto ikev1, debug crypto ikev2 protocol (and platform and ha and timers and debug crypto ipsec. Nothing points to an issue with that tunnel or the 12.1.60 network.

Checking my general debug logs now.
0
 

Author Comment

by:travisryan
ID: 41832300
So here was an interesting experiment:
I have pings going on a 12.1.60 machine to a 12.4.1 and a 12.5.1 address
Those same pings are coming from my machine on a 12.1.70 address
I ran a: no split-tunnel-network-list value ezvpn_split then saved the config.

Not a ping dropped. I gave it about 5 minutes and not a ping dropped from my 12.1.70 machine to those two addresses. It didn't have an affect on the pings from the 12.1.60 machine.

When I tried the same experiment yesterday with the nat statements, it definitely dropped pings from my machine.
0
 

Author Comment

by:travisryan
ID: 41832605
I wonder if using an actual IP addresses in the nat statement instead of assigning a subnet to a group would change anything?
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 41833849
It is worth a try ... whenever possible
0
 

Author Comment

by:travisryan
ID: 41833875
Is there some specific debugging I should be turning on to help troubleshoot the issue?
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 41833942
Hi,
there is one more easy thing you may want to do ...

check that access-lists on each side is identical and separate them, i.e.:

MAIN SITE
access-list ezvpn_split_1 extended permit ip 12.1.80.0 255.255.255.0 12.4.1.0 255.255.255.0
access-list ezvpn_split_2 extended permit ip 12.1.70.0 255.255.255.0 12.4.1.0 255.255.255.0
access-list ezvpn_split_3 extended permit ip 12.1.60.0 255.255.255.0 12.4.1.0 255.255.255.0

REMOTE1
access-list ezvpn_split_1 extended permit ip 12.4.1.0 255.255.255.0 12.1.80.0 255.255.255.0

REMOTE2
access-list ezvpn_split_2 extended permit ip 12.4.1.0 255.255.255.0 12.1.70.0 255.255.255.0

REMOTE3
access-list ezvpn_split_3 extended permit ip 12.4.1.0 255.255.255.0 12.1.60.0 255.255.255.0


I have coped with cases in which summarizing would mess with crypto maps, and i remember that vpn did go up but did not exchanged packets with some subnet: separating them gave me joy.

hope this helps
max
0
 

Accepted Solution

by:
travisryan earned 0 total points
ID: 41848391
I had another colleague take a look at my config. Both my EasyVPN sites were sharing the same tunnel group, I needed to split this out into separate tunnel groups, then everything worked.

Regardless, thanks for all of your input Max.
0
 
LVL 17

Expert Comment

by:max_the_king
ID: 41848498
Hi,
well that is really confusing as you did not mention tunnel-groups in your post.
Moreover the tunnel-group must be tied to the IP address (it is mandatory) so i wonder how you could use the same tunnel-group.
have a nice day
max
0
 

Author Comment

by:travisryan
ID: 41854358
max, I didn't think this was an issue until someone else had taken a look at it. I was using the same tunnel group because both easyvpn site to sites are using the same IP address to connect back to.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question