ASA site-to-site VPN problem

From: Bogdan Sass <bogdan.sass_at_catc.ro>
Date: Mon, 01 Jun 2009 10:21:48 +0300

    When configuring a site-to-site VPN between two ASAs, sometimes part
of the traffic that should go through the tunnel doesn't make it across.
If I run the same type of traffic through packet tracer on the sending
end, I get the following message:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

    So far, the problem occurred on several devices. It seems to occur
only when the crypto ACLs have multiple entries, and only for traffic
matching some of those entries (i.e., not for all the traffic going
through the tunnel).

    Below you will find the relevant configuration from one of the
devices (sanitized), and the packet-tracer output.

asa# sh run crypto isakmp
crypto isakmp identity address
crypto isakmp enable OUTSIDE
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 20
 authentication pre-share
 encryption 3des
 hash md5
 group 2
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal 10

asa# sh run crypto ipsec
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec df-bit clear-df INSIDE
crypto ipsec df-bit clear-df OUTSIDE

asa# sh run crypto map
crypto map OUTSIDE_map 1 match address OUTSIDE_1_cryptomap
crypto map OUTSIDE_map 1 set pfs
crypto map OUTSIDE_map 1 set peer a.a.a.a
crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
crypto map OUTSIDE_map 1 set security-association lifetime seconds 28800
crypto map OUTSIDE_map 1 set security-association lifetime kilobytes 4608000
crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map
crypto map OUTSIDE_map interface OUTSIDE

ASSA-ABBLOY# sh run tunnel-group
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group VPN1 type remote-access
tunnel-group VPN1 general-attributes
 address-pool VPNPOOL
 default-group-policy VPN1
tunnel-group VPN1 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 10 retry 2
tunnel-group a.a.a.a type ipsec-l2l
tunnel-group a.a.a.a ipsec-attributes
 pre-shared-key *

asa# sh run access-list
access-list OUTSIDE_1_cryptomap; 4 elements
access-list OUTSIDE_1_cryptomap line 1 extended permit ip object-group INSIDE object-group other_side 0x630629d6
  access-list OUTSIDE_1_cryptomap line 1 extended permit ip 10.1.1.15 255.255.252.255 host 10.2.2.34 (hitcnt=0) 0x733eb8a3
  access-list OUTSIDE_1_cryptomap line 1 extended permit ip 10.1.1.15 255.255.252.255 host 10.2.2.35 (hitcnt=0) 0x46ccd28d
  access-list OUTSIDE_1_cryptomap line 1 extended permit ip 10.1.1.15 255.255.252.255 host 10.2.2.36 (hitcnt=0) 0x7ca34747
  access-list OUTSIDE_1_cryptomap line 1 extended permit ip 10.1.1.15 255.255.252.255 host 10.2.2.61 (hitcnt=0) 0xe23b7995

asa# packet-tracer input inSIDE icmp 10.1.1.15 8 0 10.2.2.61
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.2.2.0 255.255.255.0 OUTSIDE

Phase: 4
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.1.1.0 255.255.255.0 INSIDE

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group INSIDE-in in interface INSIDE
access-list INSIDE-in extended permit ip any any
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

    Does anybody know what might cause this problem?

    Thank you, 

-- 
Bogdan Sass
CCAI,CCSP,JNCIA-ER,CCIE #22221 (RS)
Information Systems Security Professional
"Curiosity was framed - ignorance killed the cat"
Blogs and organic groups at http://www.ccie.net
Received on Mon Jun 01 2009 - 10:21:48 ART

This archive was generated by hypermail 2.2.0 : Wed Jul 01 2009 - 20:02:36 ART