IOS to ASA IpSec VPN

NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
Hey I just created a VPN form a remote site to our datacenter. Anyways when I try to ping a certain subnet I get this error in ASA at the datacenter.

This is a ping innitiated from the remote site, destined for the data center. But this message is from the ASA in the data center.


6 Mar 26 2008 18:43:53 302020 192.168.111.1 10.39.158.1 Built outbound ICMP connection for faddr 192.168.111.1/13 gaddr 10.39.158.1/0 laddr 10.39.158.1/0

4 Mar 26 2008 18:43:53 313004 Denied ICMP type=0, from laddr 10.39.158.1 on interface inside to 192.168.111.1: no matching session




First it builds the outbound ICMP connection as it is destined for 10.39.158.1 which is inside the datacenter. Then the ASA Denies the echo reply as it comes back to the firewall, destined for the remotesite across the IPsec tunnel. I can ping just about everyother subnet at the data center, just not 10.39.158.1. I do have routes to this subnet. My ASA is blocking the reply, WHY????? How could build the session and then say no matching session?
There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!

Comments

  • dtlokeedtlokee Member Posts: 2,378 ■■■■□□□□□□
    Could be related to the fact the traffic is trying to go from an interface to the same interface which has the same security level. You may need the "same-security-traffic permit intra-interface" command

    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080734db7.shtml
    The only easy day was yesterday!
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Are you sure the interesting traffic is correctly identified on the other side? IPSEC SAs are unidirectional so it is possible to have a working outgoing tunnel and a non-functional return tunnel. The fact that the IKE tunnel is working fine, other subnets at the other end are fine and outgoing to that subnet works really does point to subnet/interesting traffic configuration. Check your ACLs....
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • livenliven Member Posts: 918
    Ahriakin wrote:
    Are you sure the interesting traffic is correctly identified on the other side? IPSEC SAs are unidirectional so it is possible to have a working outgoing tunnel and a non-functional return tunnel. The fact that the IKE tunnel is working fine, other subnets at the other end are fine and outgoing to that subnet works really does point to subnet/interesting traffic configuration. Check your ACLs....


    Agreed this very thing bit me in the @ss last time I set this up. Unfortunately I had to deal with a third party who was controlling one end of the VPN. Made it very difficult to setup.
    encrypt the encryption, never mind my brain hurts.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Also it can be incomplete NAT-0 on the other side, again it's an ACL thing just a different rule to check.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • NetstudentNetstudent Member Posts: 1,693 ■■■□□□□□□□
    It wasn;t the ACL or the NAt statement to not xlate. But I took down the VPN to the ASA and rerouted it back to a checkpoint NGX box.

    Came into work this morning, double checked crypto ipsec security-association lifetime and isakmp keepalives, started a ping and it went through no problems. I did not get any syslog messages on the ASA at the datacenter blocking my pings.

    Kind of a wierd thing, but I think it all stems from having 2 crypto map sequences that are almost identicle. The only difference is the peer.
    There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
Sign In or Register to comment.