Options
IOS to ASA IpSec VPN
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
in Off-Topic
Hey I just created a VPN form a remote site to our datacenter. Anyways when I try to ping a certain subnet I get this error in ASA at the datacenter.
This is a ping innitiated from the remote site, destined for the data center. But this message is from the ASA in the data center.
6 Mar 26 2008 18:43:53 302020 192.168.111.1 10.39.158.1 Built outbound ICMP connection for faddr 192.168.111.1/13 gaddr 10.39.158.1/0 laddr 10.39.158.1/0
4 Mar 26 2008 18:43:53 313004 Denied ICMP type=0, from laddr 10.39.158.1 on interface inside to 192.168.111.1: no matching session
First it builds the outbound ICMP connection as it is destined for 10.39.158.1 which is inside the datacenter. Then the ASA Denies the echo reply as it comes back to the firewall, destined for the remotesite across the IPsec tunnel. I can ping just about everyother subnet at the data center, just not 10.39.158.1. I do have routes to this subnet. My ASA is blocking the reply, WHY????? How could build the session and then say no matching session?
This is a ping innitiated from the remote site, destined for the data center. But this message is from the ASA in the data center.
6 Mar 26 2008 18:43:53 302020 192.168.111.1 10.39.158.1 Built outbound ICMP connection for faddr 192.168.111.1/13 gaddr 10.39.158.1/0 laddr 10.39.158.1/0
4 Mar 26 2008 18:43:53 313004 Denied ICMP type=0, from laddr 10.39.158.1 on interface inside to 192.168.111.1: no matching session
First it builds the outbound ICMP connection as it is destined for 10.39.158.1 which is inside the datacenter. Then the ASA Denies the echo reply as it comes back to the firewall, destined for the remotesite across the IPsec tunnel. I can ping just about everyother subnet at the data center, just not 10.39.158.1. I do have routes to this subnet. My ASA is blocking the reply, WHY????? How could build the session and then say no matching session?
There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
Comments
-
Options
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
Could be related to the fact the traffic is trying to go from an interface to the same interface which has the same security level. You may need the "same-security-traffic permit intra-interface" command
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtmlThe only easy day was yesterday! -
Options
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
Are you sure the interesting traffic is correctly identified on the other side? IPSEC SAs are unidirectional so it is possible to have a working outgoing tunnel and a non-functional return tunnel. The fact that the IKE tunnel is working fine, other subnets at the other end are fine and outgoing to that subnet works really does point to subnet/interesting traffic configuration. Check your ACLs....We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
Optionsliven
Member Posts: 918
Ahriakin wrote:Are you sure the interesting traffic is correctly identified on the other side? IPSEC SAs are unidirectional so it is possible to have a working outgoing tunnel and a non-functional return tunnel. The fact that the IKE tunnel is working fine, other subnets at the other end are fine and outgoing to that subnet works really does point to subnet/interesting traffic configuration. Check your ACLs....
Agreed this very thing bit me in the @ss last time I set this up. Unfortunately I had to deal with a third party who was controlling one end of the VPN. Made it very difficult to setup.encrypt the encryption, never mind my brain hurts. -
OptionsAhriakin
Member Posts: 1,799 ■■■■■■■■□□
Also it can be incomplete NAT-0 on the other side, again it's an ACL thing just a different rule to check.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
-
OptionsNetstudent
Member Posts: 1,693 ■■■□□□□□□□
It wasn;t the ACL or the NAt statement to not xlate. But I took down the VPN to the ASA and rerouted it back to a checkpoint NGX box.
Came into work this morning, double checked crypto ipsec security-association lifetime and isakmp keepalives, started a ping and it went through no problems. I did not get any syslog messages on the ASA at the datacenter blocking my pings.
Kind of a wierd thing, but I think it all stems from having 2 crypto map sequences that are almost identicle. The only difference is the peer.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!