Skip to main content

Troubleshooting Site to Site VPNs

By November 2, 2016September 11th, 2020Blog
troubleshooting Site-2-site VPNs

Clear crypto as the first step of troubleshooting Site-2-site VPNs

I just had another site to site VPN that was having issues. Tunnel was up with no errors, but couldn’t pass any traffic. When I did a packet tracer on the path, I would receive a message at Phase 4: ACCESS-LIST saying to drop the packet.

packet-tracer input inside tcp 10.127.250.1 80 10.120.3.1 80 detail

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xabe1a9d0, priority=500, domain=permit, deny=true

hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=10.127.250.1, mask=255.255.255.255, port=0

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

input_ifc=inside, output_ifc=any

 

After much checking I did not have an access list to drop any of the packets.

  1. Routes for the traffic looked good.
  2. Access lists allowed the traffic
  3. NAT were static and high up to allow the traffic.

So basically I had a VPN that should be working, but wouldn’t pass data. So what to do in these situations is to clear the crypto on the firewall.

SAMP-fw02# show crypto isakmp sa

IKEv1 SAs:

Active SA: 3

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 3

 

1   IKE Peer: 67.99.99.12

Type   : L2L             Role   : responder

Rekey   : no             State   : MM_ACTIVE

 

SAMP-fw02# clear crypto isakmp sa

Right after clearing the crypto, I did a show crypto isa sa (again)

SAMP-fw02# show crypto isakmp sa

 

IKEv1 SAs:

 

Active SA: 2

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 2

2   IKE Peer: 67.99.99.12

Type    : L2L             Role   : responder

Rekey   : no             State   : MM_ACTIVE

 

Then I reran the packet tracer: packet-tracer input inside tcp 10.127.250.10 80 10.120.3.1 80

SAMP-fw02# packet-tracer input inside tcp 10.127.250.10 80 10.120.3.1 80

 

Phase: 1

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

Phase: 2

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   10.120.3.0     255.255.255.0   outside

 

Phase: 3

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static obj-10.127.250.0 obj-10.127.250.0 destination static TEST TEST no-proxy-arp

Additional Information:

NAT divert to egress interface outside

Untranslate 10.120.3.1/80 to 10.120.3.1/80

 

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group inside_access_in in interface inside

access-list inside_access_in extended permit ip 10.127.250.0 255.255.255.0 object-group TEST

object-group network TEST

network-object 10.120.3.0 255.255.255.0

Additional Information:

 

Phase: 5

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 6

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static obj-10.127.250.0 obj-10.127.250.0 destination static TEST TEST no-proxy-arp

Additional Information:

Static translate 10.127.250.10/80 to 10.127.250.10/80

 

Phase: 7

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

 

Phase: 8

Type: NAT

Subtype: rpf-check

Result: ALLOW

Config:

nat (inside,outside) source static obj-10.127.250.0 obj-10.127.250.0 destination static TEST TEST no-proxy-arp

Additional Information:

 

Phase: 9

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

 

Phase: 10

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

 

Phase: 11

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 2084347, packet dispatched to next module

 

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: outside

output-status: up

output-line-status: up

Action: allow

 So after all the checking the basic fix is, clear the crypto tunnel. Since in troubleshooting, I like to do the easiest thing to change first. Clear crypto and see if that fixes the issue, before spending many hours troubleshooting a configuration that may be working.

TL;DR: Clear the crypto on the tunnel before getting into complex troubleshooting. “Clear crypto iskmp sa”

Jason Howe, PEI

Leave a Reply