Active tunnel

infotech · ‎06-30-2014

I have created site to site vpn tunnels from a palo alto 3020 to ASA 5505 firewalls. The show green and active through the CLI and the web console. But when I try to ping a server on the other side of the tunnel I get no reply, is the tunnel up? Is it really passing traffic?

hshah · ‎06-30-2014

Hello Infotech,

Tunnel has phase-1 and Phase-2, make sure both are up. There should be two green marks, and not just one.

If one mark is green and other one is RED, then either of the phase is down. Fix the Tunnel.

If both the marks are green, than check traffic log for the destination, packet might be reaching ASA, but no response.

Regards,

Hardik Shah

infotech · ‎06-30-2014

Both are marked green on the console I just cannot ping the server on the other side and the server is up and running

hshah · ‎06-30-2014

- Continuously ping server.

- execute command

show session all filter source <s> destination <d>

- find id based on above command, give output for show session id <id>

- Provide me above output.

If there are c2s packets and 0 packets for s2c, its a ASA issue.

dmaynard · ‎06-30-2014

Hello Infotech,

Check the System log to troubleshoot.

Verify that you have valid route for network pointed to tunnel interface.

Proxy-IDs for local and remote are configured to match the ASA.

infotech · ‎06-30-2014

ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])

Vsys Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

103483 ping ACTIVE FLOW 10.135.100.3[7507]/Inside/1 (10.135.100.3[7507])

vsys1 10.135.12.7[136]/HergetVPNZone (10.135.12.7[136])

103622 ping ACTIVE FLOW 10.135.100.3[7507]/Inside/1 (10.135.100.3[7507])

vsys1 10.135.12.7[134]/HergetVPNZone (10.135.12.7[134])

103927 undecided ACTIVE FLOW 10.135.100.3[33950]/Inside/6 (10.135.100.3[33950])

vsys1 10.135.12.7[135]/HergetVPNZone (10.135.12.7[135])

103316 ping ACTIVE FLOW 10.135.100.3[7507]/Inside/1 (10.135.100.3[7507])

vsys1 10.135.12.7[133]/HergetVPNZone (10.135.12.7[133])

103680 undecided ACTIVE FLOW 10.135.100.3[49193]/Inside/6 (10.135.100.3[49193])

vsys1 10.135.12.7[135]/HergetVPNZone (10.135.12.7[135])

103032 ping ACTIVE FLOW 10.135.100.3[7507]/Inside/1 (10.135.100.3[7507])

vsys1 10.135.12.7[135]/HergetVPNZone (10.135.12.7[135])

103841 ping ACTIVE FLOW 10.135.100.3[7507]/Inside/1 (10.135.100.3[7507])

vsys1 10.135.12.7[132]/HergetVPNZone (10.135.12.7[132])

103696 ping ACTIVE FLOW 10.135.100.3[7507]/Inside/1 (10.135.100.3[7507])

vsys1 10.135.12.7[137]/HergetVPNZone (10.135.12.7[137])

~

hshah · ‎06-30-2014

provide me output for "show session id 103483 "

infotech · ‎06-30-2014

Session 103483

        c2s flow:
                source:      10.135.100.3 [Inside]
                dst:         10.135.12.7
                proto:       1
                sport:       7507            dport:      136
                state:       INIT            type:       FLOW
                src user:    herget_bank_nt\w469pa
                dst user:    unknown
                pbf rule:    Peoria_VPN_ITV3 7

        s2c flow:
                source:      10.135.12.7 [HergetVPNZone]
                dst:         10.135.100.3
                proto:       1
                sport:       136             dport:      7507
                state:       INIT            type:       FLOW
                src user:    unknown
                dst user:    herget_bank_nt\w469pa

        start time                    : Mon Jun 30 16:11:00 2014
        timeout                       : 6 sec
        total byte count(c2s)         : 98
        total byte count(s2c)         : 0
        layer7 packet count(c2s)      : 1
        layer7 packet count(s2c)      : 0
        vsys                          : vsys1
        application                   : ping
        rule                          : To Herget VPNs
        session to be logged at end   : True
        session in session ager       : False
        session synced from HA peer   : False
        layer7 processing             : enabled
        URL filtering enabled         : True
        URL category                  : any
        session via syn-cookies       : False
        session terminated on host    : False
        session traverses tunnel      : True
        captive portal session        : False
        ingress interface             : vlan.1
        egress interface              : tunnel.1
        session QoS rule              : N/A (class 4)

hshah · ‎06-30-2014

Its a problem with ASA

Please find my analysis.

layer7 packet count(c2s) : 1 --- Firewall allowed packet and it sent

layer7 packet count(s2c) : 0 --- No reply came from ASA

egress interface : tunnel.1- Packet was sent on Tunnel 1

infotech · ‎06-30-2014

This was the error on the ASA side

4 Jun 30 2014 04:40:04 66.94.196.107 173.161.59.109 IPSEC: Received an ESP packet (SPI= 0x878E32A7, sequence number= 0x15C) from 66.94.196.107 (user= 66.94.196.107) to 173.161.59.109. The decapsulated inner packet doesn't match the negotiated policy in the SA. The packet specifies its destination as 10.135.12.7, its source as 10.135.100.3, and its protocol as tcp. The SA specifies its local proxy as Peoria-Data/255.255.255.0/ip/0 and its remote_proxy as Sunset-Network/255.255.255.0/ip/0.

ajbool · ‎06-30-2014

Looks like there is a mismatch between the IPs used on the PA and on the ASA.

Could the Peoria-Data and Sunset-Network be the wrong way round in the access list referred to in the crypto map on the ASA? Most things on ASAs seem back to front 😉

hshah · ‎06-30-2014

Proxy mismatch, check Proxy ID on ASA, it should be reverse of crypto ACL on ASA

HULK · ‎06-30-2014

Just to add to it,

Please verify if PAN is encrypting packet, and sending through the tunnel.

> show vpn flow

>s how vpn flow tunnel-id x << where x=id number from above display

Verify encap and decap counters.

Thanks

infotech · ‎07-01-2014

Here is the output for the commands you asked me to run

tunnel Peoria_IPSec_Tunnel1:Sunset
        id:                     10
        type:                   IPSec
        gateway id:             1
        local ip:               66.94.196.107
        peer ip:                173.161.59.109
        inner interface:        tunnel.1
        outer interface:        ethernet1/3
        state:                  active
        session:                95682
        tunnel mtu:             1428
        lifetime remain:        23585 sec
        latest rekey:           5215 seconds ago
        monitor:                off
        monitor packets seen:   0
        monitor packets reply: 0
        en/decap context:       668
        local spi:              80544957
        remote spi:             5325178E
        key type:               auto key
        protocol:               ESP
        auth algorithm:         SHA1
        enc algorithm:         AES256
        proxy-id local ip:      10.135.10.0/24
        proxy-id remote ip:     10.135.12.0/24
        proxy-id protocol:      0
        proxy-id local port:    0
        proxy-id remote port:   0
        anti replay check:      yes
        copy tos:               no
        authentication errors: 0
        decryption errors:      0
        inner packet warnings: 0
        replay packets:         0
        packets received
          when lifetime expired:0
          when lifesize expired:0
        sending sequence:       1361
        receive sequence:       0
        encap packets:          610045
        decap packets:          0
        encap bytes:            53714408
        decap bytes:            0
        key acquire requests:   902

infotech · ‎07-01-2014

I will verify the proxy ids and makes sure they are correct, would the tunnel come up if there is a mismatch?

Unlock your full community experience!

Active tunnel

Active tunnel

Show your appreciation!