IKE packets not seen on ASA end

Started by SimonV, March 17, 2016, 03:50:25 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

SimonV

March 17, 2016, 03:50:25 AM
We have a bit of a strange one that's been ongoing for two days. A warehouse in Africa is down for several days now and the third party does not see our IKE traffic arriving on their ASA. We have pretty much done everything we can, even captured the traffic leaving our edge firewall. Their packets make it to ours, and we respond fine and see that leaving as well. Pings from us to them do get through as well. They are running 8.2(1). Anyone ever seen this sort of behavior?

I've asked them to verify or capture on their internet provider's CPE but I'm not sure how long that will take...

Reggle

#1
March 17, 2016, 04:59:14 AM
Exactly what I would guess: CPE of the provider. Is it behind a NAT?

SimonV

#2
March 17, 2016, 05:07:59 AM
It shouldn't be, they have a public IP on their outside interface. We agreed that they would span the CPE interface on the switch for a minute or so. 

On our end, we are behind NAT, but this is working fine for us, with and without NAT-T, and we have 30+ tunnels without issues. We did have our share of bugs with the SRX but none so far with the latest JunOS version. And we also verify our packets going out to the ISP so my guess is either the ASA is glitching or it gets dropped on the internet.

routerdork

#3
March 17, 2016, 08:43:48 AM
I've run into issues in the past with sites in Asia and South America using Cisco ASA's. All the ISP's swore they weren't blocking IPsec packets. Each continent had a hub site but if it wasn't turned up yet we would connect the backups back to the US to our main DC. For some of sites the packets would never make it the rmeote sites but you could see ICMP hitting from the DC constantly. We also ran into the same issue with SSH not working and had to use Telnet from the US. We were less than pleased. We ended up having to tunnel to another site in country or at a few sites no backup tunnel at all.
"The thing about quotes on the internet is that you cannot confirm their validity." -Abraham Lincoln

SimonV

#4
March 17, 2016, 09:53:41 AM Last Edit: March 17, 2016, 10:00:06 AM by SimonV
It is very strange, I've received the pcap file now from in front of their FW and they are not getting anything back from us. Looking at the providers now, I need confirmation our IKE is crossing the router and what other providers are between us.

SimonV

#5
March 19, 2016, 07:09:51 AM
So both ends logged tickets with their ISPs and Thursday evening it magically started working again. We did some looking glass and there was only one AS between our and their ISP. Our provider says that they have been troubleshooting with the intermediate NOC and that they both saw the traffic getting through and they suspect it was the local ISP. They haven't provided any feedback in writing though. No surprise, the local ISP claims they haven't changed anything so this is now turning into politics...

deanwebb

#6
March 19, 2016, 07:48:53 AM
One of them is...
:vendors:

Because the other one is...
:mssql:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
Print
Go Up Pages1
User actions