- Posts: 3
- Thank you received: 0
Site-to-Site VPN problems
16 years 2 months ago #29110
by jimbo_01
Site-to-Site VPN problems was created by jimbo_01
Hi,
I am currently trying to troubleshoot a site-to-site vpn problem between a Cisco 5520 & cisco pix515.
(Problem)
When a user makes a connection destined to the remote VPN network the VPN tunnel successfully completes both phases and the tunnel comes active but the user connection times out. Here is an output of the VPN logs.
%ASA-6-302013: Built outbound TCP connection 4860 for outside: x.x.x.x /443 (x.x.x.x /443) to inside:x.x.x.x/53251 (1 x.x.x.x /53251)
%ASA-6-302014: Teardown TCP connection 4860 for outside: x.x.x.x /443 to inside: x.x.x.x /53251 duration 0:00:30 bytes 0 SYN Timeout
Running command 'sh ipsec stats' I can see the outbound traffic being encrypted but its not showing any inbound traffic. To me this indicates a problem at the other end of the tunnel? i've not disabled 'sysopt connection permit-ipsec' command so all inbound IPSEC traffic should be allowed.
The remote VPN network is managed by a third party company so I have no control or access.
Has anyone experienced this problem before?
I am currently trying to troubleshoot a site-to-site vpn problem between a Cisco 5520 & cisco pix515.
(Problem)
When a user makes a connection destined to the remote VPN network the VPN tunnel successfully completes both phases and the tunnel comes active but the user connection times out. Here is an output of the VPN logs.
%ASA-6-302013: Built outbound TCP connection 4860 for outside: x.x.x.x /443 (x.x.x.x /443) to inside:x.x.x.x/53251 (1 x.x.x.x /53251)
%ASA-6-302014: Teardown TCP connection 4860 for outside: x.x.x.x /443 to inside: x.x.x.x /53251 duration 0:00:30 bytes 0 SYN Timeout
Running command 'sh ipsec stats' I can see the outbound traffic being encrypted but its not showing any inbound traffic. To me this indicates a problem at the other end of the tunnel? i've not disabled 'sysopt connection permit-ipsec' command so all inbound IPSEC traffic should be allowed.
The remote VPN network is managed by a third party company so I have no control or access.
Has anyone experienced this problem before?
16 years 2 months ago #29326
by Smurf
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Replied by Smurf on topic Re: Site-to-Site VPN problems
Hi Jimbo,
S0lo posted a few good links to help troubleshoot/configure
www.cisco.com/en/US/docs/security/asa/as...k/guide/sitesite.pdf
www.routeralley.com/ra/docs/ipsec_site2site_pix_asa.pdf
I started a thread asking for a guide to this and found something interesting with the ASA's which you may want to read www.firewall.cx/ftopic-6079-0-days0-orderasc-.html
I dont think the errors you have posted are linked with this problem since they are referencing port 443, have you turned up debugging of the ISAKMP and IPSEC ?
Cheers
S0lo posted a few good links to help troubleshoot/configure
www.cisco.com/en/US/docs/security/asa/as...k/guide/sitesite.pdf
www.routeralley.com/ra/docs/ipsec_site2site_pix_asa.pdf
I started a thread asking for a guide to this and found something interesting with the ASA's which you may want to read www.firewall.cx/ftopic-6079-0-days0-orderasc-.html
I dont think the errors you have posted are linked with this problem since they are referencing port 443, have you turned up debugging of the ISAKMP and IPSEC ?
Cheers
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx
Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
16 years 1 month ago #29685
by jimbo_01
Replied by jimbo_01 on topic Re: Site-to-Site VPN problems
Hi Smurf,
Thanks for your reply. The traffic I referenced on port 443 is meant to be intresting traffic and sent over the VPN tunnel. I've done some research and think the problem will be fixed when I apply NAT-T on both VPN security appliances. I will post once tested.
Thanks for your reply. The traffic I referenced on port 443 is meant to be intresting traffic and sent over the VPN tunnel. I've done some research and think the problem will be fixed when I apply NAT-T on both VPN security appliances. I will post once tested.
16 years 3 weeks ago #29878
by jimbo_01
Replied by jimbo_01 on topic Re: Site-to-Site VPN problems
This problem was resolved by enabling NAT-T on both VPN security appliances. The problem was caused by a firewall device applying Port address translation (PAT) to the source traffic between the two VPN peers. PAT breaks ESP protocol communications.
Time to create page: 0.190 seconds