E7 - MVPN - ASA: Can connect but no Data

smcmanus · ‎2012-03-09

Hello Nokia People

I have a Nokia E7 and I am trying to connect to my Companies Colocation facility for support, I have access to all the firewallsM routers and switches involved. To make things simple for trouble shooting I used the Default Template Cisco_ASA_pskxauth.pol and modified it. I changed the Server IP, the PSK and the protocols (from AES SHA to 3DES and MD5). when I try and connect it seems to connect fine, and the ASA confirms this. But any Pings sent from the destination to the phone fails. I am including the Results I got from the ASA.

Detailed ISAKMP SA

12 IKE Peer: xx.xx.9.114
    Type    : user            Role    : responder
    Rekey   : no              State   : AM_ACTIVE
    Encrypt : 3des            Hash    : MD5
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 86117

Notice the Encaps and the Decaps. This means my firewall is correctly sending and receiving secure data successfully.
peer address: xx.xx.9.114

    Crypto map tag: dialin, seq num: 500, local addr: 72.38.228.130

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.50.50.3/255.255.255.255/0/0)
      current_peer: xx.xx.9.114, username: gpsnet
      dynamic allocated peer ip: 10.50.50.3

      #pkts encaps: 30, #pkts encrypt: 30, #pkts digest: 30
      #pkts decaps: 40, #pkts decrypt: 40, #pkts verify: 40
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 30, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.:xx.xx.228.130, remote crypto endpt.: xx.xx.9.114

      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 1D19D9A8

    inbound esp sas:
      spi: 0xF85C7D13 (4166810899)
         transform: esp-3des esp-md5-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 10985472, crypto-map: dialin
         sa timing: remaining key lifetime (sec): 3191
         IV size: 8 bytes
         replay detection support: Y
    outbound esp sas:
      spi: 0x1D19D9A8 (488233384)
         transform: esp-3des esp-md5-hmac none
         in use settings ={RA, Tunnel, }
         slot: 0, conn_id: 10985472, crypto-map: dialin
         sa timing: remaining key lifetime (sec): 3191
         IV size: 8 bytes
         replay detection support: Y

here are the Pings as tracked by the ASA. I got no Returns.

ICMP echo request from Inside:192.168.2.30 to Outside:10.50.50.3 ID=1 seq=15 len=32
ICMP echo request from Inside:192.168.2.30 to Outside:10.50.50.3 ID=1 seq=16 len=32

If anyone can shed some light that would be awesome.

smcmanus · ‎2012-03-12

BTW. Just to keep people in the loop.

It seems to be just my very small loop.

But anyway.

I have solved my own issue, it was a broken VPN config, on the ASA.

I have gotten it to work with another meshed VPN.

It doesn't seem terribly stable, usually dropping after one minute sometimes.

If I manage to get some some traffic across it, it seems to stay open.

Steve

E7 - MVPN - ASA: Can connect but no Data

E7 - MVPN - ASA: Can connect but no Data

Re: E7 - MVPN - ASA: Can connect but no Data