cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


130
Views
0
Helpful
6
Replies
Highlighted
Beginner

Trying to test a Site to Site Tunnel

Hi All,

 

We have 2 x 5512-x ASAs, one in our LA location and one in our PA location. The one in LA (let's call it ASA01) is in production and I have the tunnel configured. The one in PA (ASA02), is set up but it sits behind a Netgear router. From the network created inside ASA02, we are able to ping out and are able to ping devices that are attached to the Netgear router. However, we can't ping into devices on the ASA02 network.

 

We set the tunnel up on both ends, but we feel it might be because we don't have a rule somewhere that allows traffic into ASA02?

6 REPLIES
Hall of Fame Master

Re: Trying to test a Site to Site Tunnel

Perhaps the first step is to find out whether the tunnel is coming up. Can you post the output of show crypto IPSec sa

 

HTH

 

Rick

Beginner

Re: Trying to test a Site to Site Tunnel

els-asa01# show crypto ipsec sa
interface: ZAYO
    Crypto map tag: <amzn_vpn_map>, seq num: 3, local addr: 128.177.20.34

      access-list ZAYO_cryptomap_3 extended permit ip any 10.60.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (10.120.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.60.0.0/255.255.0.0/0/0)
      current_peer: 40.112.133.61


      #pkts encaps: 368, #pkts encrypt: 368, #pkts digest: 368
      #pkts decaps: 538, #pkts decrypt: 538, #pkts verify: 538
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 368, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 128.177.20.34/0, remote crypto endpt.: 40.112.133.61/                                                                                       0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: BF4ACF2E
      current inbound spi : 7F761209

    inbound esp sas:
      spi: 0x7F761209 (2138444297)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 50315264, crypto-map: <amzn_vpn_map>
         sa timing: remaining key lifetime (kB/sec): (97199978/1362)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xBF4ACF2E (3209350958)
         transform: esp-aes-256 esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 50315264, crypto-map: <amzn_vpn_map>
         sa timing: remaining key lifetime (kB/sec): (97199975/1362)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: <amzn_vpn_map>, seq num: 10, local addr: 128.177.20.34

      access-list acl-amzn-2 extended permit ip any 10.1.0.0 255.255.0.0
      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
      current_peer: 54.240.217.162


      #pkts encaps: 3741031, #pkts encrypt: 3741031, #pkts digest: 3741031
      #pkts decaps: 6187717, #pkts decrypt: 6187717, #pkts verify: 6187717
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 3741031, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 733

      local crypto endpt.: 128.177.20.34/0, remote crypto endpt.: 54.240.217.162/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: F290D08D
      current inbound spi : 87BB71D4

    inbound esp sas:
      spi: 0x87BB71D4 (2277208532)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 55365632, crypto-map: <amzn_vpn_map>
         sa timing: remaining key lifetime (kB/sec): (96891842/1521)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xF290D08D (4069576845)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, PFS Group 2, IKEv1, }
         slot: 0, conn_id: 55365632, crypto-map: <amzn_vpn_map>
         sa timing: remaining key lifetime (kB/sec): (97192939/1521)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Hall of Fame Master

Re: Trying to test a Site to Site Tunnel

Thanks for the information. It does show that the tunnel is up and passing two way traffic. So we need information about what address is attempting to access what address. It might also help if you provide details of the configuration. 

 

HTH

 

Rick

Beginner

Re: Trying to test a Site to Site Tunnel

So the two tunnels showing are the tunnels to aws. I'll post config in a few.

VIP Advisor

Re: Trying to test a Site to Site Tunnel

Hello,

 

post a schematic drawing of your topology. From your description I cannot tell what networks are attached to what, and whatyou cannot reach from where...

Hall of Fame Master

Re: Trying to test a Site to Site Tunnel

The original post described a vpn tunnel between routers in LA and PA. The posted output of vpn tunnels is then described as being to aws. I am confused about what is going on at both sites and agree with Georg that we need some diagram and some explanation of what is going on indicating what does work and what does not work.

 

HTH

 

Rick

CreatePlease to create content
Webcast-ISE Deployment and Best Practices