Re: ASA site-to-site VPN problem

Why are you using this strange mask in the ACL?

10.1.1.15 255.255.252.255

Regards

Farrukh

On Mon, Jun 1, 2009 at 10:21 AM, Bogdan Sass <bogdan.sass_at_catc.ro> wrote:

> When configuring a site-to-site VPN between two ASAs, sometimes part of
> the traffic that should go through the tunnel doesn't make it across. If I
> run the same type of traffic through packet tracer on the sending end, I get
> the following message:
>
> Phase: 8
> Type: VPN
> Subtype: encrypt
> Result: DROP
> Config:
> Additional Information:
>
> Result:
> input-interface: INSIDE
> input-status: up
> input-line-status: up
> output-interface: INSIDE
> output-status: up
> output-line-status: up
> Action: drop
> Drop-reason: (acl-drop) Flow is denied by configured rule
>
> So far, the problem occurred on several devices. It seems to occur only
> when the crypto ACLs have multiple entries, and only for traffic matching
> some of those entries (i.e., not for all the traffic going through the
> tunnel).
>
> Below you will find the relevant configuration from one of the devices
> (sanitized), and the packet-tracer output.
>
> asa# sh run crypto isakmp crypto isakmp identity address crypto isakmp
> enable OUTSIDE
> crypto isakmp policy 10
> authentication pre-share
> encryption aes
> hash sha
> group 2
> lifetime 86400
> crypto isakmp policy 20
> authentication pre-share
> encryption 3des
> hash md5
> group 2
> lifetime 86400
> crypto isakmp policy 30
> authentication pre-share
> encryption 3des
> hash sha
> group 2
> lifetime 86400
> crypto isakmp nat-traversal 10
>
>
> asa# sh run crypto ipsec
> crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto
> ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec
> transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set
> ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set
> ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set
> ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set
> ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set
> ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set
> ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA
> esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds
> 28800
> crypto ipsec security-association lifetime kilobytes 4608000
> crypto ipsec df-bit clear-df INSIDE
> crypto ipsec df-bit clear-df OUTSIDE
>
>
> asa# sh run crypto map
> crypto map OUTSIDE_map 1 match address OUTSIDE_1_cryptomap
> crypto map OUTSIDE_map 1 set pfs crypto map OUTSIDE_map 1 set peer a.a.a.a
> crypto map OUTSIDE_map 1 set transform-set ESP-3DES-SHA
> crypto map OUTSIDE_map 1 set security-association lifetime seconds 28800
> crypto map OUTSIDE_map 1 set security-association lifetime kilobytes
> 4608000
> crypto map OUTSIDE_map 65535 ipsec-isakmp dynamic OUTSIDE_dyn_map
> crypto map OUTSIDE_map interface OUTSIDE
>
>
> ASSA-ABBLOY# sh run tunnel-group tunnel-group DefaultRAGroup
> ipsec-attributes
> isakmp keepalive threshold 10 retry 2
> tunnel-group DefaultWEBVPNGroup ipsec-attributes
> isakmp keepalive threshold 10 retry 2
> tunnel-group VPN1 type remote-access
> tunnel-group VPN1 general-attributes
> address-pool VPNPOOL
> default-group-policy VPN1
> tunnel-group VPN1 ipsec-attributes
> pre-shared-key *
> isakmp keepalive threshold 10 retry 2
> tunnel-group a.a.a.a type ipsec-l2l
> tunnel-group a.a.a.a ipsec-attributes
> pre-shared-key *
>
>
> asa# sh run access-list
> access-list OUTSIDE_1_cryptomap; 4 elements
> access-list OUTSIDE_1_cryptomap line 1 extended permit ip object-group
> INSIDE object-group other_side 0x630629d6 access-list OUTSIDE_1_cryptomap
> line 1 extended permit ip 10.1.1.15 255.255.252.255 host 10.2.2.34
> (hitcnt=0) 0x733eb8a3 access-list OUTSIDE_1_cryptomap line 1 extended
> permit ip 10.1.1.15 255.255.252.255 host 10.2.2.35 (hitcnt=0) 0x46ccd28d
> access-list OUTSIDE_1_cryptomap line 1 extended permit ip 10.1.1.15
> 255.255.252.255 host 10.2.2.36 (hitcnt=0) 0x7ca34747 access-list
> OUTSIDE_1_cryptomap line 1 extended permit ip 10.1.1.15 255.255.252.255 host
> 10.2.2.61 (hitcnt=0) 0xe23b7995
>
>
> asa# packet-tracer input inSIDE icmp 10.1.1.15 8 0 10.2.2.61
> Phase: 1
> Type: ACCESS-LIST
> Subtype: Result: ALLOW
> Config:
> Implicit Rule
> Additional Information:
> MAC Access list
>
> Phase: 2
> Type: FLOW-LOOKUP
> Subtype: Result: ALLOW
> Config:
> Additional Information:
> Found no matching flow, creating a new flow
>
> Phase: 3
> Type: ROUTE-LOOKUP
> Subtype: input
> Result: ALLOW
> Config:
> Additional Information:
> in 10.2.2.0 255.255.255.0 OUTSIDE
>
> Phase: 4
> Type: ROUTE-LOOKUP
> Subtype: input
> Result: ALLOW
> Config:
> Additional Information:
> in 10.1.1.0 255.255.255.0 INSIDE
>
> Phase: 5
> Type: ACCESS-LIST
> Subtype: log
> Result: ALLOW
> Config:
> access-group INSIDE-in in interface INSIDE
> access-list INSIDE-in extended permit ip any any
> Additional Information:
>
> Phase: 6
> Type: IP-OPTIONS
> Subtype: Result: ALLOW
> Config:
> Additional Information:
>
> Phase: 7
> Type: INSPECT
> Subtype: np-inspect
> Result: ALLOW
> Config:
> Additional Information:
>
> Phase: 8
> Type: VPN
> Subtype: encrypt
> Result: DROP
> Config:
> Additional Information:
>
> Result:
> input-interface: INSIDE
> input-status: up
> input-line-status: up
> output-interface: INSIDE
> output-status: up
> output-line-status: up
> Action: drop
> Drop-reason: (acl-drop) Flow is denied by configured rule
>
>
> Does anybody know what might cause this problem?
>
> Thank you,
>
> --
> Bogdan Sass
> CCAI,CCSP,JNCIA-ER,CCIE #22221 (RS)
> Information Systems Security Professional
> "Curiosity was framed - ignorance killed the cat"
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Jun 01 2009 - 10:38:29 ART