Unable to ping remote subnet after tunnel is established

Unanswered Question
May 8th, 2007
User Badges:

I am connecting a Cisco ASA 5505 and a Symantec Gateway 460R device via site to site VPN tunnel, and the Phase 1 (IKE) and Phase 2 (IPSec) negotiations go thru just fine. I show 1 active IKE and 1 active ipsec on the monitoring screen. However, when I try to ping a device on the remote subnet, the pings time-out. I can ping the public IP of the outside interface on the peer device, but if I try to ping anything on the inside interface, I get a time-out. If the tunnel is established, shouldn't my subnet be able to communicate with the remote subnet?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
acomiskey Tue, 05/08/2007 - 16:17
User Badges:
  • Green, 3000 points or more

A little more info may be needed here. ASA config would be nice.

reido2131 Wed, 09/26/2007 - 14:01
User Badges:

Without knowing a litle more about how each end of the network is set up, it might be a little hard to narrow this down with just the config file. If you do a tracert, does that completely fail?

The next 2 issues to look at would be 1-Are there any ACLs, or the like, on either end that is blocking ICMP Ping traffic? and 2-Does the host that you are pinging on the other end know where to send the response?

You may need to add a static route to the host on the other end to make sure that it knows which interface or IP on the network to send the response back out through.

Be aware, that if you add a static route to a Windows Server or Workstation, it will stay in there only as long as the computer has not been rebooted. I haven't found a way to keep it in there permanently.


thomasdzubin Fri, 09/28/2007 - 07:21
User Badges:

You can add a "permanent" route to a MS-Windows system by using the "-p" flag on the ROUTE ADD command. Here's a screen cut-and-paste from the help shown when you just give the ROUTE command without any argument:

" -p When used with the ADD command, makes a route persistent across

boots of the system. By default, routes are not preserved

when the system is restarted. Ignored for all other commands,

which always affect the appropriate persistent routes. This

option is not supported in Windows 95."

james.rugh Thu, 06/21/2007 - 14:37
User Badges:

I am having the same problem between an ASA and an 871w. The tunnel is up. However, on the ASA, if I do a "debug icmp trace", and then ping from a device on the remote end to the ASA inside interface, I see the icmp echo requests come in to the inside interface, but the ASA echo replies go back out the outside interface. It's as though traffic is not routing to the remote properly through the tunnel. I've checked the no-nat access-list - looks ok to me.


This Discussion