OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: tomas.morales on August 12, 2016, 02:48:41 pm

Title: Intermittent traffic flow between OPnsense and Cisco ASA VPN
Post by: tomas.morales on August 12, 2016, 02:48:41 pm

Hi all

We are trying to introduce OPNsense in our network so we are quite newbie.

We have managed to establish an IPSec VPN between  OPNsense 16.7-amd64 and a cisco ASA5545 running  asa912-smp-k8.bin.

Our problem is the traffic is not crossing the VPN while it is established.

For example, trying to ping a machine in the other end, takes more than 1 minute to respond, but the Ipsec is fully established:


$ ping 10.132.43.117
PING 10.132.43.117 (10.132.43.117) 56(84) bytes of data.
....
64 bytes from 10.132.43.117: icmp_seq=1 ttl=63 time=68.2 ms


From the cisco we see sometimes the below:

Total IKE SA: 5
....
4   IKE Peer: 104.255.200.142
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE
5   IKE Peer: 104.255.200.142
    Type    : user            Role    : responder
    Rekey   : no              State   : MM_WAIT_MSG3


From opsense, it doesnt report any problem, as far as I can see. We have increased the logging for "SA Manager", "IKE SA", "IKE Child SA" and still the logs dont show anything noticeable.


Any advice for troubleshooting this problem?

Thanks
tomas

Title: Re: Intermittent traffic flow between OPnsense and Cisco ASA VPN
Post by: tomas.morales on August 12, 2016, 02:50:40 pm

we have more VPNs in the cisco ASA and they work fine.

Title: Re: Intermittent traffic flow between OPnsense and Cisco ASA VPN
Post by: tomas.morales on August 17, 2016, 12:07:49 pm

It seems we fixed it.

We have to allow ESP (IP 50) and UDP (isakmp) traffic sent to the firewall itself.