Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Site-to-Site VPN problems

Site-to-Site VPN problems 7 years 7 months ago #29110

  • jimbo_01
  • jimbo_01's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
Hi,

I am currently trying to troubleshoot a site-to-site vpn problem between a Cisco 5520 & cisco pix515.

(Problem)
When a user makes a connection destined to the remote VPN network the VPN tunnel successfully completes both phases and the tunnel comes active but the user connection times out. Here is an output of the VPN logs.

%ASA-6-302013: Built outbound TCP connection 4860 for outside: x.x.x.x /443 (x.x.x.x /443) to inside:x.x.x.x/53251 (1 x.x.x.x /53251)

%ASA-6-302014: Teardown TCP connection 4860 for outside: x.x.x.x /443 to inside: x.x.x.x /53251 duration 0:00:30 bytes 0 SYN Timeout

Running command 'sh ipsec stats' I can see the outbound traffic being encrypted but its not showing any inbound traffic. To me this indicates a problem at the other end of the tunnel? i've not disabled 'sysopt connection permit-ipsec' command so all inbound IPSEC traffic should be allowed.

The remote VPN network is managed by a third party company so I have no control or access.

Has anyone experienced this problem before?
The administrator has disabled public write access.

Re: Site-to-Site VPN problems 7 years 7 months ago #29326

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
Hi Jimbo,

S0lo posted a few good links to help troubleshoot/configure

www.cisco.com/en/US/docs/security/asa/as...k/guide/sitesite.pdf

www.routeralley.com/ra/docs/ipsec_site2site_pix_asa.pdf

I started a thread asking for a guide to this and found something interesting with the ASA's which you may want to read www.firewall.cx/ftopic-6079-0-days0-orderasc-.html

I dont think the errors you have posted are linked with this problem since they are referencing port 443, have you turned up debugging of the ISAKMP and IPSEC ?

Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Site-to-Site VPN problems 7 years 6 months ago #29685

  • jimbo_01
  • jimbo_01's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
Hi Smurf,

Thanks for your reply. The traffic I referenced on port 443 is meant to be intresting traffic and sent over the VPN tunnel. I've done some research and think the problem will be fixed when I apply NAT-T on both VPN security appliances. I will post once tested.
The administrator has disabled public write access.

Re: Site-to-Site VPN problems 7 years 5 months ago #29878

  • jimbo_01
  • jimbo_01's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
This problem was resolved by enabling NAT-T on both VPN security appliances. The problem was caused by a firewall device applying Port address translation (PAT) to the source traffic between the two VPN peers. PAT breaks ESP protocol communications.
The administrator has disabled public write access.
Time to create page: 0.082 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup