Summary
Section titled “Summary”Reference guide for OCI configuration
Who is this KB written for?
Section titled “Who is this KB written for?”-
Projects
-
vITM
When should this KB be used or referenced?
Section titled “When should this KB be used or referenced?”-
Troubleshooting OCI connection
-
Network projects
Oracle DB Users and Admin:
Andrew DeRosa - andrew.derosa@adstradata.com
Oracle Cloud DB IP: 10.0.1.162
Oracle Cloud Public IP: 193.122.131.86
ASA Object: object-group network OBJ-SITE-ORACLE
network 10.0.0.0 255.255.0.0 ****Oracle Cloud Subnet
Local subnets allowed over VPN: object-group network OBJ-SITE-ADSTRA
network 172.20.0.0 255.255.0.0 ****HQ Princeton, NJ Subnet
network 172.25.0.0 255.255.0.0 ****Datacenter Subnet
***All subnets CIDR: /16 or mask: 255.255.0.0
ASA FW Access Control List
access-list 105 remark *** VPN Tunnel to Oracle Cloud ***
access-list 105 extended permit ip object-group OBJ-SITE-ADSTRA object-group OBJ-SITE-ORACLE
ASA FW NAT
nat (inside,outside) 1 source static OBJ-SITE-ADSTRA OBJ-SITE-ADSTRA destination static OBJ-SITE-ORACLE OBJ-SITE-ORACLE no-proxy-arp route-lookup
ASA FW Crypto MAP
crypto map vpnpeer 5 match address 105
crypto map vpnpeer 5 set pfs group5
crypto map vpnpeer 5 set peer 193.122.131.86
crypto map vpnpeer 5 set ikev1 transform-set CL2OCI
crypto map vpnpeer 5 set security-association lifetime seconds 86400
ASA FW Tunnel-group
tunnel-group 193.122.131.86 type ipsec-l2l
tunnel-group 193.122.131.86 ipsec-attributes
ikev1 pre-shared-key *****
***ASA command to view hidden PSK**: more system:running-config**
Troubleshooting
When troubleshooting both show and debug commands should be used.
From ScreenConnect SSH into FW from Server – 172.25.10.1 – Access PWSTATE for Creds
Show commands
show crypto isakmp sa - shows status of IKE session on this device.
***If Oracle Tunnel does not show Active initiate traffic from Server by pinging 10.0.1.162 and check again
show crypto ipsec sa - Shows status of IPsec SAs. Crucial information to look for, what traffic is being protected, from what IVRF (protected VRF) and if IPsec SAs (or SPIs) are in active state.
In the above case is traffic between local site subnets (in global VRF) to remote Oracle Subnet—it’s protected and the remote peer is 193.122.131.86.
There are two IPsec SAs active (one in each direction) and we can see processed total of packets in each direction.
Debugging
To narrow down debugging to one peer, conditional debugging should be used.
On IOS this is done by performing: debug crypto condition peer ipv4 …
Two major components can be debugged:
debug crypto isakmp - Information specific to ISAKMP exchange. This will contain information about main mode and quick mode negotiation.
debug crypto ipsec - Some phase 2 specific information can be found here.