Clear crypto as the first step of troubleshooting Site-2-site VPNs
I just had another site to site VPN that was having issues. Tunnel was up with no errors, but couldn’t pass any traffic. When I did a packet tracer on the path, I would receive a message at Phase 4: ACCESS-LIST saying to drop the packet.
packet-tracer input inside tcp 10.127.250.1 80 10.120.3.1 80 detail
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabe1a9d0, priority=500, domain=permit, deny=true
hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.127.250.1, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=any
After much checking I did not have an access list to drop any of the packets.
- Routes for the traffic looked good.
- Access lists allowed the traffic
- NAT were static and high up to allow the traffic.
So basically I had a VPN that should be working, but wouldn’t pass data. So what to do in these situations is to clear the crypto on the firewall.
SAMP-fw02# show crypto isakmp sa
IKEv1 SAs:
Active SA: 3
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 3
1 IKE Peer: 67.99.99.12
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
SAMP-fw02# clear crypto isakmp sa
Right after clearing the crypto, I did a show crypto isa sa (again)
SAMP-fw02# show crypto isakmp sa
IKEv1 SAs:
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
2 IKE Peer: 67.99.99.12
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Then I reran the packet tracer: packet-tracer input inside tcp 10.127.250.10 80 10.120.3.1 80
SAMP-fw02# packet-tracer input inside tcp 10.127.250.10 80 10.120.3.1 80
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 10.120.3.0 255.255.255.0 outside
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.127.250.0 obj-10.127.250.0 destination static TEST TEST no-proxy-arp
Additional Information:
NAT divert to egress interface outside
Untranslate 10.120.3.1/80 to 10.120.3.1/80
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip 10.127.250.0 255.255.255.0 object-group TEST
object-group network TEST
network-object 10.120.3.0 255.255.255.0
Additional Information:
Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.127.250.0 obj-10.127.250.0 destination static TEST TEST no-proxy-arp
Additional Information:
Static translate 10.127.250.10/80 to 10.127.250.10/80
Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static obj-10.127.250.0 obj-10.127.250.0 destination static TEST TEST no-proxy-arp
Additional Information:
Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 2084347, packet dispatched to next module
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
So after all the checking the basic fix is, clear the crypto tunnel. Since in troubleshooting, I like to do the easiest thing to change first. Clear crypto and see if that fixes the issue, before spending many hours troubleshooting a configuration that may be working.
TL;DR: Clear the crypto on the tunnel before getting into complex troubleshooting. “Clear crypto iskmp sa”
Jason Howe, PEI
