This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

GCP <-> ASA - Tunnel subnet problem

Posted on 05-26-2023 07:33 AM
JakubRG
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hello Everyone.
I have a VPN tunnel set up between the GCP and the Cisco ASA. Dynamic routing using BGP is used.
The interface tunnel address on the GCP side is 169.x.x.1 and on the ASA side 169.x.x.2.
There is only one network in GCP - GCP-NETWORK
I ran into a small problem because when I send a request to a host located in GCP-NETWORK using the ASA address 169.x.x.2 I don't get a response because it looks like the Cloud Router in GCP doesn't know how to access that network during the response.
Do you have any idea what the problem might be and how to fix it? 

Solved Solved
0 3 383
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
VannGuce
Staff
Reply posted on --/--/---- --:-- AM

Since VPN status is all established meaning the communication on both GCP network and on premise network are open. Regarding this concern. The problem here is the usage of the APIPA address. APIPA addresses are not routable on the wider internet. Therefore, if you are trying to ping an APIPA address from outside the local network, it will not be successful. It can only communicate with the same network.

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
VannGuce
Staff
Reply posted on --/--/---- --:-- AM

Hi,

For further understanding about your concern, please answer the following questions below.

1. What is the reason for pinging or testing the connection to host in GCP network using ASA BGP ip address?
2. Can you share the status of your VPN tunnel and BGP session? Are they both established?
3. Instead of using the BGP IP address. Can you try to ping normal source from GCP network to on prem device as destination and share us the result.

I hope to have a response with the answer to these questions.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
JakubRG
Bronze 2
Bronze 2
In response to VannGuce
Reply posted on --/--/---- --:-- AM

Hey @VannGuce 
Thank you for you reply.

1. We are testing SCEP function on ASA and it needs to download certs from Certificate  Windows server located in GCP. ASA is using the closest interface to host located in GCP, which is tunnel interface 169.x.x.2. Using Event Log in GCP I can see that ASA successfully reach  CA SERVER but in the other direction the log is empty.

2. Tunnels are established, cuz from other subnets behind ASA I've got a normal access to CA Server. Here I am sure it works properly.

3. Same result as in 2nd point. Everything works properly. The problem is only with Tunnel IP as a Source.

I thought the problem was because it's Windows Server and can't get into the 169.254.x.x/16 subnet because it's APIPA, but even when I did a static route the problem is the same.

It looks like GCP is blocking something or the traffic is redirect to a place other than the tunnel.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
VannGuce
Staff
Reply posted on --/--/---- --:-- AM

Since VPN status is all established meaning the communication on both GCP network and on premise network are open. Regarding this concern. The problem here is the usage of the APIPA address. APIPA addresses are not routable on the wider internet. Therefore, if you are trying to ping an APIPA address from outside the local network, it will not be successful. It can only communicate with the same network.

Jump to Solution