No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

VPN tunnel is up but there is no dataflow and the security policies are not triggered

Publication Date:  2017-06-30 Views:  72 Downloads:  0
Issue Description

After he configured the VPN tunnel, VPN session is up but there is no data-flow and if he pings from the local site to the remote site the security policies are not triggered. The device is USG6300 V500R001C30SPC100

As we can see in the diagnostic output there are no encripted packets exchanged :

IPSec policy name: "ipsec2031157295"

  Sequence number  : 1

  Acl group        : 3003

  Acl rule         : 5

  Mode             : ISAKMP

  -----------------------------

    Connection ID     : 15

    Encapsulation mode: Tunnel

    Tunnel local      : 62.159.X.X

    Tunnel remote     : 80.X.X.X

    Flow source       : 192.168.X.X/255.255.255.0 0/0

    Flow destination  : 192.168.X.X/255.255.255.0 0/0

 

    [Outbound ESP SAs]

      SPI: 4074064461 (0xf2d54a4d)

      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128

      SA remaining key duration (kilobytes/sec): 5242880/968

      Max sent sequence-number: 1

      UDP encapsulation used for NAT traversal: N

      SA encrypted packets (number/bytes): 0/0

 

    [Inbound ESP SAs]

      SPI: 2788767083 (0xa639356b)

      Proposal: ESP-ENCRYPT-AES-256 ESP-AUTH-SHA2-256-128

      SA remaining key duration (kilobytes/sec): 5242880/968

      Max received sequence-number: 1

      UDP encapsulation used for NAT traversal: N

      SA decrypted packets (number/bytes): 0/0

      Anti-replay : Enable

      Anti-replay window size: 1024

Handling Process

I have checked first the tunnel to confirm that it is up:

===============display ipsec tdbentry===============

Interface: GigabitEthernet0/0/7

  -----------------------------

  IPSec policy/profile name: "ipsec2031157295"

  Sequence number          : 3

  Acl group                : 3003

  Acl rule                 : 5

  Mode                     : ISAKMP

  -----------------------------

    Tunnel local      : 62.X.X.X

    Tunnel remote     : 212.X.X.X

    Flow source       : 192.168.X.X/255.255.255.255 0/0

    Flow destination  : 10.4.X.X/255.255.252.0 0/0

    Inbound tdb flag  : Ready

    Outbound tdb flag : Ready

    Anti-replay       : Enable

    Anti-replay window size   : 1024

    Fragment Before-encryption: Disable


I have checked if the ACL is correct:

acl number 3003

 rule 5 permit ip source 192.168.X.X 0 destination 10.4.X.X 0.0.3.255

Since until here everything is configured ok and the tunnel is up, next step is to check traffic flow by displaying the firewall session table verbose source inside :

display firewall session table verbose source inside 192.168.X.X
2017-06-28 14:18:02.489 +02:00 DST
 Current Total Sessions : 1
 icmp  VPN: public --> public  ID: a48f34e8c0b703f0f5953b367
 Zone: trust --> untrust  TTL: 00:00:20  Left: 00:00:18
 Recv Interface: GigabitEthernet0/0/1
 Interface: GigabitEthernet0/0/7  NextHop: 62.159.X.X  MAC: 0000-XXXX-XXXX
 <--packets: 0 bytes: 0 --> packets: 369 bytes: 22,140
 192.168.X.X:1[62.159.X.X:2048] --> 192.168.X.X:2048 PolicyName: VPN_Traffic2DHL

As we can see the trafic is NAT-ed . Next step is to check the NAT-policy:

#

nat-policy

 rule name policy_nat

  source-zone trust

  destination-zone untrust

  action nat address-group outsideip

 rule name LocalNAT

  source-zone local

  destination-zone untrust

  action nat address-group outsideip

#

Seeinng this we can conclude that all the traffic that is comming from inside 192.168.X.X network is NAT-ed to outside(untrust) with the IP 62.159.X.X. This meens that the ACL is not maching any packets:

acl number 3003

 rule 5 permit ip source 192.168.X.X 0 destination 10.4.X.X 0.0.3.255


Root Cause

To match the ACL 3003 we have to change the NAT-policy :

#

nat-policy 

  rule name policy_nat1 

  source-zone trust 

  destination-zone untrust 

  source-address 192.168.X.X 0.0.0.255 

 destination-address  62.159.X.X  0.0.0.255 

  action no-na

 quit 

#

Like this the data will match the ACL that is binded with the VPN tunnel.


END