Active tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Active tunnel

L4 Transporter

I have created site to site vpn tunnels from a palo alto 3020 to ASA 5505 firewalls. The show green and active through the CLI and the web console. But when I try to ping a server on the other side of the tunnel I get no reply, is the tunnel up? Is it really passing traffic?

28 REPLIES 28

L6 Presenter

Hello Infotech,

Tunnel has phase-1 and Phase-2, make sure both are up. There should be two green marks, and not just one.

If one mark is green and other one is RED, then either of the phase is down. Fix the Tunnel.

If both the marks are green, than check traffic log for the destination, packet might be reaching ASA, but no response.

Regards,

Hardik Shah

Both are marked green on the console I just cannot ping the server on the other side and the server is up and running

- Continuously ping server.

- execute command

show session all filter source <s> destination <d>

- find id based on above command, give output for show session id <id>

- Provide me above output.

If there are c2s packets and 0 packets for s2c, its a ASA issue.

L4 Transporter

Hello Infotech,

Check the System log to troubleshoot.

Verify that you have valid route for network pointed to tunnel interface.

Proxy-IDs for local and remote are configured to match the ASA.


ID      Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])

Vsys                                      Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

103483  ping           ACTIVE  FLOW       10.135.100.3[7507]/Inside/1  (10.135.100.3[7507])

vsys1                                     10.135.12.7[136]/HergetVPNZone  (10.135.12.7[136])

103622  ping           ACTIVE  FLOW       10.135.100.3[7507]/Inside/1  (10.135.100.3[7507])

vsys1                                     10.135.12.7[134]/HergetVPNZone  (10.135.12.7[134])

103927  undecided      ACTIVE  FLOW       10.135.100.3[33950]/Inside/6  (10.135.100.3[33950])

vsys1                                     10.135.12.7[135]/HergetVPNZone  (10.135.12.7[135])

103316  ping           ACTIVE  FLOW       10.135.100.3[7507]/Inside/1  (10.135.100.3[7507])

vsys1                                     10.135.12.7[133]/HergetVPNZone  (10.135.12.7[133])

103680  undecided      ACTIVE  FLOW       10.135.100.3[49193]/Inside/6  (10.135.100.3[49193])

vsys1                                     10.135.12.7[135]/HergetVPNZone  (10.135.12.7[135])

103032  ping           ACTIVE  FLOW       10.135.100.3[7507]/Inside/1  (10.135.100.3[7507])

vsys1                                     10.135.12.7[135]/HergetVPNZone  (10.135.12.7[135])

103841  ping           ACTIVE  FLOW       10.135.100.3[7507]/Inside/1  (10.135.100.3[7507])

vsys1                                     10.135.12.7[132]/HergetVPNZone  (10.135.12.7[132])

103696  ping           ACTIVE  FLOW       10.135.100.3[7507]/Inside/1  (10.135.100.3[7507])

vsys1                                     10.135.12.7[137]/HergetVPNZone  (10.135.12.7[137])

~

provide me output for "show session id 103483 "

Session          103483

        c2s flow:
                source:      10.135.100.3 [Inside]
                dst:         10.135.12.7
                proto:       1
                sport:       7507            dport:      136
                state:       INIT            type:       FLOW
                src user:    herget_bank_nt\w469pa
                dst user:    unknown
                pbf rule:    Peoria_VPN_ITV3 7

        s2c flow:
                source:      10.135.12.7 [HergetVPNZone]
                dst:         10.135.100.3
                proto:       1
                sport:       136             dport:      7507
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    herget_bank_nt\w469pa

        start time                    : Mon Jun 30 16:11:00 2014
        timeout                       : 6 sec
        total byte count(c2s)         : 98
        total byte count(s2c)         : 0
        layer7 packet count(c2s)      : 1
        layer7 packet count(s2c)      : 0
        vsys                          : vsys1
        application                   : ping
        rule                          : To Herget VPNs
        session to be logged at end   : True
        session in session ager       : False
        session synced from HA peer   : False
        layer7 processing             : enabled
        URL filtering enabled         : True
        URL category                  : any
        session via syn-cookies       : False
        session terminated on host    : False
        session traverses tunnel      : True
        captive portal session        : False
        ingress interface             : vlan.1
        egress interface              : tunnel.1
        session QoS rule              : N/A (class 4)

Its a problem with ASA

Please find my analysis.

layer7 packet count(c2s)      : 1   --- Firewall allowed packet and it sent

        layer7 packet count(s2c)      : 0  --- No reply came from ASA

        egress interface              : tunnel.1- Packet was sent on Tunnel 1



This was the error on the ASA side

4 Jun 30 2014 04:40:04 66.94.196.107 173.161.59.109 IPSEC: Received an ESP packet (SPI= 0x878E32A7, sequence number= 0x15C) from 66.94.196.107 (user= 66.94.196.107) to 173.161.59.109.  The decapsulated inner packet doesn't match the negotiated policy in the SA.  The packet specifies its destination as 10.135.12.7, its source as 10.135.100.3, and its protocol as tcp.  The SA specifies its local proxy as Peoria-Data/255.255.255.0/ip/0 and its remote_proxy as Sunset-Network/255.255.255.0/ip/0.

Looks like there is a mismatch between the IPs used on the PA and on the ASA.

Could the Peoria-Data and Sunset-Network be the wrong way round in the access list referred to in the crypto map on the ASA?  Most things on ASAs seem back to front 😉

Proxy mismatch, check Proxy ID on ASA, it should be reverse of crypto ACL on ASA

Just to add to it,

Please verify if PAN is encrypting packet, and sending through the tunnel.

> show vpn flow

>s how vpn flow tunnel-id x << where x=id number from above display


Verify encap and decap counters.


Thanks

Here is the output for the commands you asked me to run

tunnel  Peoria_IPSec_Tunnel1:Sunset
        id:                     10
        type:                   IPSec
        gateway id:             1
        local ip:               66.94.196.107
        peer ip:                173.161.59.109
        inner interface:        tunnel.1
        outer interface:        ethernet1/3
        state:                  active
        session:                95682
        tunnel mtu:             1428
        lifetime remain:        23585 sec
        latest rekey:           5215 seconds ago
        monitor:                off
        monitor packets seen:   0
        monitor packets reply:  0
        en/decap context:       668
        local spi:              80544957
        remote spi:             5325178E
        key type:               auto key
        protocol:               ESP
        auth algorithm:         SHA1
        enc  algorithm:         AES256
        proxy-id local ip:      10.135.10.0/24
        proxy-id remote ip:     10.135.12.0/24
        proxy-id protocol:      0
        proxy-id local port:    0
        proxy-id remote port:   0
        anti replay check:      yes
        copy tos:               no
        authentication errors:  0
        decryption errors:      0
        inner packet warnings:  0
        replay packets:         0
        packets received
          when lifetime expired:0
          when lifesize expired:0
        sending sequence:       1361
        receive sequence:       0
        encap packets:          610045
        decap packets:          0
        encap bytes:            53714408
        decap bytes:            0
        key acquire requests:   902

I will verify the proxy ids and makes sure they are correct, would the tunnel come up if there is a mismatch?

  • 8780 Views
  • 28 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!