[c-nsp] VPN issues

Aaron R aaronis at people.net.au
Wed Jan 16 23:26:03 EST 2008 

Hi Kaj, 

a) Sysopt connection permit-ipsec is enabled by default.
b) There is a return route on remote site end
c) tried sysopt connection tcpmss with no luck. 
d) packet tracer shows that the traffic is allowed but doesn't show return
traffic for the same TCP connection.. (where the problem is)

I have tried to describe this a little better below. 

Scenario

ASA 5520 running version 7.2

ASA outside interface terminates multiple tunnels including remote access
Easy VPN access. 

Problem: VPN Clients are unable to reach tunnel branch destinations.

Breakdown:

Client connects to ASA public interface via VPN client. Client is allocated
an address from pool (addresses on the inside interface of the ASA) i.e.
10.0.0.100-10.0.0.254 (Inside subnet is 10.0.0.0/24). ASA adds a route for
the vpn client and points it to the outside interface similar to below.

S    10.0.0.100 255.255.255.255 [1/0] via public.ip.address, Outside

The remote VPN Client attempts to web to a branch office tunnel destination
web server and the following happens.

ASA decrypts packet on outside interface and does a route lookup. It sees
the destination is matched by the default route and needs to be sent out the
same interface the packet came in on. ASA routes packet via default route.
The Packet is then NAT'd to the outside address (PAT). The Packet matches a
site to site VPN rule and therefore is encrypted to be sent over this site
to site VPN. At this point i can see the following logs (unfortunately it is
hard to troubleshoot the connection being returned over the tunnel i.e.
SYN-ACK of a TCP connection)

10.0.0.100	172.16.1.100	 Built inbound TCP connection 30449275 for
Outside:10.0.0.100/2325 (10.0.0.100/2325) to Inside:172.16.1.100/80
(172.16.1.100/80) (user)
10.240.1.105	203.38.65.140	 Built dynamic TCP translation from
Inside:10.0.0.100/2325 to Outside:our.public.ip/28908
our.public.ip	10.0.1.100	 Built outbound TCP connection 30449276 for
Outside 172.16.1.100:/80 (172.16.1.100/80) to Inside:10.0.0.100/2325
(our.public.ip/28908)

The necessary configuration is in place to allow traffic from entering an
interface to leave the same interface so i am unsure as to what is happening
here. 

Any hints will be greatly appreciated. 

Cheers,

Aaron.

-----Original Message-----
From: Kaj Niemi [mailto:kajtzu at basen.net] 
Sent: Tuesday, January 15, 2008 9:59 PM
To: Aaron R
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VPN issues

Hi,


It's also possible you might need 'sysopt connection permit-vpn' (=>  
7.1(1), 'sysopt connection permit-ipsec' ( <= 7.0)). The settings  
allow packets from an IPSec tunnel to bypass interface ACLs (not group  
policy or per-user ones). As of 7.0 (I think) the default is enabled,  
if disabled you might need to explicitly permit traffic.

If traffic from RA to IPSec tunnel gets transmitted (you stated that  
you see the outbound connection and I'm assuming here that's on the  
site 1 ASA the RA is connected to) but if there is no return route on  
site 2 there won't be any return packets back towards site 1. Assuming  
all other sites have a default route towards the outside interface  
where the crypto map is this scenario is unlikely, though.

There was no mention of the kind of traffic you are transmitting. In  
some cases, for TCP/IP, you might need to play around with 'sysopt  
connection tcpmss' and decrease it further from the PIX/ASA default of  
1380. Decreasing would mean there would less payload inside the vpn  
encapsulated packets.

You didn't mention what version you're running but if you're on 7.2(1)  
or later you could take a look at 'packet-tracer'. Sometimes it is  
useful to see what rules/acls/etc. a packet would hit through the ASA  
or look at an existing flow.


As always, YMMV. :-)



Kaj

On Jan 15, 2008, at 13:56, Aaron R wrote:

> I am thinking it has something to do with the split-tunneling  
> configuration.
> Split tunneling is disabled therefore all traffic should route  
> accross the
> VPN connection from the vpn client. Both outbound internet access as  
> well as
> access to other site to site vpn's is not working for the VPN clients.



HTH

Kaj
-- 
Kaj J. Niemi
<kajtzu at basen.net>
+358 45 63 12000

More information about the cisco-nsp mailing list