topic Re: Site-to-Site VPN connection issue with CISCO ASA in General Topics

Site-to-Site VPN connection issue with CISCO ASA

bam_oida — Wed, 04 Jul 2018 19:18:33 GMT

Hello guys,

I have troubles with a Site-to-Site VPN between a R77.30 and a CISCO ASA Gateway.

The subnets on my side:

192.168.4.0/22

192.168.30.0/22

192.168.40.0/22

I have 3 subnets on my side which needs to access 12 subnets on the other side.

The 12 subnets are in the Encryption Domain. However only devices only 2 subnets can ping a remote Host.

The hosts 192.168.4.1 and 192.168.40.1 can ping 192.168.2.12 in the remote subnet.

The connection from 192.168.30.0/22 is very unstable and I get timeouts longer then half a day. At some point the connection is working again. On both sides nothing was changed. Can someone help? I don't know how to troubleshoot the issue.

Re: Site-to-Site VPN connection issue with CISCO ASA

AlekseiShelepov — Thu, 05 Jul 2018 07:53:29 GMT

Doesn't it look like something worth asking tech support of the vendor to deal with your exact networks and setup?

VPN R77 Versions Administration Guide

VPN Troubleshooting Solutions

How to run complete VPN debug on Security Gateway to troubleshoot VPN issues?

Re: Site-to-Site VPN connection issue with CISCO ASA

Pierre-Aymeric_ — Thu, 05 Jul 2018 11:08:39 GMT

Also this KB can be a good start

Site to Site with 3rd party

then you need to ensure what's the design (routing mecanism, encryption domain, provider implementation of protocols)

then turn on complete debug following Aleksei Shelepov‌ suggestion.

after the log collect, install IKE View Tool and try understanding something. (@checkpoint please hear me crying... rewrite this tool and add it to the diagnosticview tool ! )

Re: Site-to-Site VPN connection issue with CISCO ASA

G_W_Albrecht — Thu, 05 Jul 2018 11:13:31 GMT

I would suggest to go thru sk108600: VPN Site-to-Site with 3rd Party.

Re: Site-to-Site VPN connection issue with CISCO ASA

bam_oida — Thu, 05 Jul 2018 19:34:27 GMT

Hello I tried debug with IKEView. I saw that Lifetime and Encryption of Phase 1 was different. I corrected this but now Iam unable to establish Phase 1.

Iam stuck in MM MM packet 3 (20:56:18)- Thu Jul 5 2018

Transport:       UDP (IPv4)
PeerIP:            xxxxxxx
PeerPort:       500
Peer Name:       gw_CHINA

==> Sent to peer x.x.x.x

The parameters of Transform Payload - KEY_IKE like Encryption Algorithm, Key Length, Hash Algorithm, Authentication Method, Life Type,Group Description and Life Duration are equal on both sides.

Re: Site-to-Site VPN connection issue with CISCO ASA

Georg_Reichau — Mon, 09 Jul 2018 17:11:27 GMT

Have you checked the PSK again? MM3 should be part of the key exchange.

Otherwise, what type of VPN Tunnel Sharing is configured in the community?

If your phase 1 comes up again, you see the information in P2, if if needed you can try between the 3 options. I had some problems with 3rd party gateways in the past, when using "One tunnel per subnet pair" or "One tunnel per gateway pair" depending what the partner had configured.

Re: Site-to-Site VPN connection issue with CISCO ASA

Nüüül — Mon, 09 Jul 2018 19:24:44 GMT

Do you have access to the ASA to view the configuration / logs there...?

Most common issue is the "One tunnel per subnet pair" setting not set. Also I had some issues with pfs group set to higher than group5, for any reason, it only worked with group 5 or less.

Next one would be to have a look at the IPSEC and IKE session details on ASA side, to see, if your packets arive there but are not routed back correctly or other issues...