LCCRIT
asked on
VPN Tunnel up but receiving error and no ping from internal network to VPC Network.
Hello Experts,
I've setup a tunnel to AWS. The tunnel is showing as up on the AWS side and the initiator and ipsec tunnels are up on our customer gateway. I cannot however ping from our site to the VPC subnet. The error message we are getting is this anytime we try to send traffic through the tunnel.
IPSEC: Received an ESP packet (SPI= 0x8A6AB546, sequence number= 0x113) from 52.37.217.122 (user= 52.37.217.122) to "outside interface ip" that failed authentication.
Those messages repeat with difference Sequence numbers.
I've checked ACL's on the AWS side and they are all correct. I've also checked the static routes on the AWS side and they all look correct. The odd thing is that this was all working and then all the sudden it just stopped. Nobody changed anything.
we are running ASA version 8.0.5
our internal lan is 10.99.248.0/22
the VPC network is 192.168.0.0/22
Here is the config from AWS that was given to us,
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 201
encryption aes
authentication pre-share
group 2
lifetime 28800
hash sha
exit
!
tunnel-group 52.37.217.122 type ipsec-l2l
tunnel-group 52.37.217.122 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 10
exit
tunnel-group 52.43.26.15 type ipsec-l2l
tunnel-group 52.43.26.15 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 10
exit
access-list ACL-OUTSIDE extended permit ip host 52.37.217.122 host outside interface ip
access-list ACL-OUTSIDE extended permit ip host 52.43.26.15 host outside interface ip
access-list acl-amzn extended permit ip any 192.168.0.0 255.255.255.0
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto map amzn_vpn_map 1 match address acl-amzn
crypto map amzn_vpn_map 1 set pfs group2
crypto map amzn_vpn_map 1 set peer 52.37.217.122 52.43.26.15
crypto map amzn_vpn_map 1 set transform-set transform-amzn
crypto map amzn_vpn_map 1 set security-association lifetime seconds 3600
crypto map amzn_vpn_map interface outside
crypto ipsec df-bit clear-df outside
crypto ipsec security-association replay window-size 128
crypto ipsec fragmentation before-encryption outside
sysopt connection tcpmss 1379
sla monitor 15
type echo protocol ipIcmpEcho 192.168.0.151 interface outside
frequency 5
exit
sla monitor schedule 15 life forever start-time now
icmp permit any outside
access-list amzn-filter extended permit ip 192.168.0.0 255.255.255.0 10.99.248.0 255.255.252.0
access-list amzn-filter extended deny ip any any
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter
tunnel-group 52.37.217.122 general-attributes
default-group-policy filter
exit
tunnel-group 52.43.26.15 general-attributes
default-group-policy filter
exit
nat (inside) 0 access-list acl-amzn
I've setup a tunnel to AWS. The tunnel is showing as up on the AWS side and the initiator and ipsec tunnels are up on our customer gateway. I cannot however ping from our site to the VPC subnet. The error message we are getting is this anytime we try to send traffic through the tunnel.
IPSEC: Received an ESP packet (SPI= 0x8A6AB546, sequence number= 0x113) from 52.37.217.122 (user= 52.37.217.122) to "outside interface ip" that failed authentication.
Those messages repeat with difference Sequence numbers.
I've checked ACL's on the AWS side and they are all correct. I've also checked the static routes on the AWS side and they all look correct. The odd thing is that this was all working and then all the sudden it just stopped. Nobody changed anything.
we are running ASA version 8.0.5
our internal lan is 10.99.248.0/22
the VPC network is 192.168.0.0/22
Here is the config from AWS that was given to us,
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 201
encryption aes
authentication pre-share
group 2
lifetime 28800
hash sha
exit
!
tunnel-group 52.37.217.122 type ipsec-l2l
tunnel-group 52.37.217.122 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 10
exit
tunnel-group 52.43.26.15 type ipsec-l2l
tunnel-group 52.43.26.15 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 10 retry 10
exit
access-list ACL-OUTSIDE extended permit ip host 52.37.217.122 host outside interface ip
access-list ACL-OUTSIDE extended permit ip host 52.43.26.15 host outside interface ip
access-list acl-amzn extended permit ip any 192.168.0.0 255.255.255.0
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto map amzn_vpn_map 1 match address acl-amzn
crypto map amzn_vpn_map 1 set pfs group2
crypto map amzn_vpn_map 1 set peer 52.37.217.122 52.43.26.15
crypto map amzn_vpn_map 1 set transform-set transform-amzn
crypto map amzn_vpn_map 1 set security-association lifetime seconds 3600
crypto map amzn_vpn_map interface outside
crypto ipsec df-bit clear-df outside
crypto ipsec security-association replay window-size 128
crypto ipsec fragmentation before-encryption outside
sysopt connection tcpmss 1379
sla monitor 15
type echo protocol ipIcmpEcho 192.168.0.151 interface outside
frequency 5
exit
sla monitor schedule 15 life forever start-time now
icmp permit any outside
access-list amzn-filter extended permit ip 192.168.0.0 255.255.255.0 10.99.248.0 255.255.252.0
access-list amzn-filter extended deny ip any any
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter
tunnel-group 52.37.217.122 general-attributes
default-group-policy filter
exit
tunnel-group 52.43.26.15 general-attributes
default-group-policy filter
exit
nat (inside) 0 access-list acl-amzn
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.