ASA VPN Issue
the_Grinch
Member Posts: 4,165 ■■■■■■■■■■
in Off-Topic
So trying to get a second tunnel up and I am running into issue. This is what I get from a packet trace:
packet-tracer input inside tcp 192.168.137.37 22 10.11.89.12 22
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static US US destination static THEM THEM
Additional Information:
NAT divert to egress interface outside
Untranslate 10.11.89.12/22 to 10.11.89.12/22
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static US US destination static THEM THEM
Additional Information:
Static translate 192.168.137.37/22 to 192.168.137.37/22
Forward Flow based lookup yields rule:
in id=0x7fff206b7f70, priority=6, domain=nat, deny=false
hits=0, user_data=0x7fff2a3f8c10, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.137.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.11.89.12, mask=255.255.255.255, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff1fd322d0, priority=1, domain=nat-per-session, deny=true
hits=6793, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a308310, priority=0, domain=inspect-ip-options, deny=true
hits=696, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff20229010, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0x7fff29cbd330, reverse, flags=0x0, protocol=0
src ip/id=192.168.137.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.11.89.12, mask=255.255.255.255, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
It appears that it's not even getting sent out, but not 100% sure of why.
packet-tracer input inside tcp 192.168.137.37 22 10.11.89.12 22
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static US US destination static THEM THEM
Additional Information:
NAT divert to egress interface outside
Untranslate 10.11.89.12/22 to 10.11.89.12/22
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static US US destination static THEM THEM
Additional Information:
Static translate 192.168.137.37/22 to 192.168.137.37/22
Forward Flow based lookup yields rule:
in id=0x7fff206b7f70, priority=6, domain=nat, deny=false
hits=0, user_data=0x7fff2a3f8c10, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.137.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.11.89.12, mask=255.255.255.255, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=outside
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff1fd322d0, priority=1, domain=nat-per-session, deny=true
hits=6793, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a308310, priority=0, domain=inspect-ip-options, deny=true
hits=696, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
input_ifc=inside, output_ifc=any
Phase: 5
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff20229010, priority=70, domain=encrypt, deny=false
hits=1, user_data=0x0, cs_id=0x7fff29cbd330, reverse, flags=0x0, protocol=0
src ip/id=192.168.137.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=10.11.89.12, mask=255.255.255.255, port=0, tag=0 dscp=0x0
input_ifc=any, output_ifc=outside
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
It appears that it's not even getting sent out, but not 100% sure of why.
WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff
Comments
-
the_Grinch
Member Posts: 4,165 ■■■■■■■■■■
Figured it out! We're connecting to a Fortinet on the other end and they gave me two configurations that I needed to add, but didn't. Added them and bam we're good to go!WIP:
PHP
Kotlin
Intro to Discrete Math
Programming Languages
Work stuff -
apr911
Member Posts: 380 ■■■■□□□□□□
Awesome! A couple things to note for whoever may run across this in the future...
1. You need to run packet tracer twice. The first time initiates the tunnel (ending with VPN Encrypt Drop) and the second should succeed.
2. Typically, if you reach VPN Encrypt Drop, you've configured the tunnel "correctly" but there is a mismatch between the 2 sides. If you're not reaching the VPN Encrypt Drop phase then there is something wrong with your configuration
3. Its near impossible to troubleshoot VPNs that reach VPN Encrypt Drop just from the Packet-tracer (you're basically shooting in the dark and even a blind squirrel finds a nut sometimes)... Firewall logs, configurations and debugs are the next go to here.Currently Working On: Openstack
2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP