Active tunnel

Reply
L4 Transporter

Active tunnel

I have created site to site vpn tunnels from a palo alto 3020 to ASA 5505 firewalls. The show green and active through the CLI and the web console. But when I try to ping a server on the other side of the tunnel I get no reply, is the tunnel up? Is it really passing traffic?

L6 Presenter

Re: Active tunnel

Hello Infotech,

Tunnel has phase-1 and Phase-2, make sure both are up. There should be two green marks, and not just one.

If one mark is green and other one is RED, then either of the phase is down. Fix the Tunnel.

If both the marks are green, than check traffic log for the destination, packet might be reaching ASA, but no response.

Regards,

Hardik Shah

L4 Transporter

Re: Active tunnel

Both are marked green on the console I just cannot ping the server on the other side and the server is up and running

L6 Presenter

Re: Active tunnel

- Continuously ping server.

- execute command

show session all filter source <s> destination <d>

- find id based on above command, give output for show session id <id>

- Provide me above output.

If there are c2s packets and 0 packets for s2c, its a ASA issue.

L4 Transporter

Re: Active tunnel

Hello Infotech,

Check the System log to troubleshoot.

Verify that you have valid route for network pointed to tunnel interface.

Proxy-IDs for local and remote are configured to match the ASA.


L4 Transporter

Re: Active tunnel

ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

103483  ping           ACTIVE  FLOW       10.135.100.3[7507]/Inside/1  (10.135.100.3[7507])

vsys1                                     10.135.12.7[136]/HergetVPNZone  (10.135.12.7[136])

103622  ping           ACTIVE  FLOW       10.135.100.3[7507]/Inside/1  (10.135.100.3[7507])

vsys1                                     10.135.12.7[134]/HergetVPNZone  (10.135.12.7[134])

103927  undecided      ACTIVE  FLOW       10.135.100.3[33950]/Inside/6  (10.135.100.3[33950])

vsys1                                     10.135.12.7[135]/HergetVPNZone  (10.135.12.7[135])

103316  ping           ACTIVE  FLOW       10.135.100.3[7507]/Inside/1  (10.135.100.3[7507])

vsys1                                     10.135.12.7[133]/HergetVPNZone  (10.135.12.7[133])

103680  undecided      ACTIVE  FLOW       10.135.100.3[49193]/Inside/6  (10.135.100.3[49193])

vsys1                                     10.135.12.7[135]/HergetVPNZone  (10.135.12.7[135])

103032  ping           ACTIVE  FLOW       10.135.100.3[7507]/Inside/1  (10.135.100.3[7507])

vsys1                                     10.135.12.7[135]/HergetVPNZone  (10.135.12.7[135])

103841  ping           ACTIVE  FLOW       10.135.100.3[7507]/Inside/1  (10.135.100.3[7507])

vsys1                                     10.135.12.7[132]/HergetVPNZone  (10.135.12.7[132])

103696  ping           ACTIVE  FLOW       10.135.100.3[7507]/Inside/1  (10.135.100.3[7507])

vsys1                                     10.135.12.7[137]/HergetVPNZone  (10.135.12.7[137])

~

L6 Presenter

Re: Active tunnel

provide me output for "show session id 103483 "

L4 Transporter

Re: Active tunnel

Session          103483

        c2s flow:
                source:      10.135.100.3 [Inside]
                dst:         10.135.12.7
                proto:       1
                sport:       7507            dport:      136
                state:       INIT            type:       FLOW
                src user:    herget_bank_nt\w469pa
                dst user:    unknown
                pbf rule:    Peoria_VPN_ITV3 7

        s2c flow:
                source:      10.135.12.7 [HergetVPNZone]
                dst:         10.135.100.3
                proto:       1
                sport:       136             dport:      7507
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    herget_bank_nt\w469pa

        start time                    : Mon Jun 30 16:11:00 2014
        timeout                       : 6 sec
        total byte count(c2s)         : 98
        total byte count(s2c)         : 0
        layer7 packet count(c2s)      : 1
        layer7 packet count(s2c)      : 0
        vsys                          : vsys1
        application                   : ping
        rule                          : To Herget VPNs
        session to be logged at end   : True
        session in session ager       : False
        session synced from HA peer   : False
        layer7 processing             : enabled
        URL filtering enabled         : True
        URL category                  : any
        session via syn-cookies       : False
        session terminated on host    : False
        session traverses tunnel      : True
        captive portal session        : False
        ingress interface             : vlan.1
        egress interface              : tunnel.1
        session QoS rule              : N/A (class 4)

Highlighted
L6 Presenter

Re: Active tunnel

Its a problem with ASA

Please find my analysis.

layer7 packet count(c2s)      : 1   --- Firewall allowed packet and it sent

        layer7 packet count(s2c)      : 0  --- No reply came from ASA

        egress interface              : tunnel.1- Packet was sent on Tunnel 1


L4 Transporter

Re: Active tunnel


This was the error on the ASA side

4 Jun 30 2014 04:40:04 66.94.196.107 173.161.59.109 IPSEC: Received an ESP packet (SPI= 0x878E32A7, sequence number= 0x15C) from 66.94.196.107 (user= 66.94.196.107) to 173.161.59.109.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 10.135.12.7, its source as 10.135.100.3, and its protocol as tcp.  The SA specifies its local proxy as Peoria-Data/255.255.255.0/ip/0 and its remote_proxy as Sunset-Network/255.255.255.0/ip/0.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!