L2L tunnel issue

Answered Question
Aug 6th, 2007
User Badges:

hello...


I created a L2L tunnel b/w a VPN 3005 to Juniper NetScreen ...the tunnel is up but we both are unable to ping the allowed ip...another thing, i only see rx traffic from him but no tx traffic from me...suspecting keep alives...


this is the second tunnel i built on this VPN 3005 box, this first has no issues with what i am experiencing now...


can any assist on this issue....thanks in advance

Correct Answer by Jon Marshall about 9 years 10 months ago

Hi


Okay, that is your problem. When the 192.168.10.10 pc tries to send traffic back to the 172.16.10.10 PC the traffic first goes to the Pix. But because you are running v6.x of the pix it is not allowed to send the traffic back out the same interface it came in on and it needs to do this to send the traffic to the VPN 3005.


With pix v7.x you can do this but a solution to your problem without having to upgrade would be to add a static route on your 192.168.10.10 PC saying to get to 172.16.10.10 go to 192.168.10.15.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
srue Mon, 08/06/2007 - 05:43
User Badges:
  • Blue, 1500 points or more

could this be an internal routing issue on your side? It sounds like traffic from your side isn't even making it across the tunnel, while his is.. right?


Clear the tunnel, and try to initiate from your side to see if traffic you originate can bring it up.

szajihsaniatan Mon, 08/06/2007 - 10:30
User Badges:

im not sure what may be blocking it...i attached a drawing of the l2l tunnel design...the tunnel is supposed to allow the 172 network to reach 192 network....i do have a PIX attached to the same network as the 192, could that be blocking traffic?...i check for documentation but couldnt find any...


thanks in advance

Jon Marshall Mon, 08/06/2007 - 11:09
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


What is the default gateway of the PC 192.168.10.10.


Also what version of software are you running on the pix.


Jon

Correct Answer
Jon Marshall Mon, 08/06/2007 - 11:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Okay, that is your problem. When the 192.168.10.10 pc tries to send traffic back to the 172.16.10.10 PC the traffic first goes to the Pix. But because you are running v6.x of the pix it is not allowed to send the traffic back out the same interface it came in on and it needs to do this to send the traffic to the VPN 3005.


With pix v7.x you can do this but a solution to your problem without having to upgrade would be to add a static route on your 192.168.10.10 PC saying to get to 172.16.10.10 go to 192.168.10.15.


HTH


Jon

szajihsaniatan Mon, 08/06/2007 - 11:28
User Badges:

ok, that make sense...can i just add a static route to the pix stating: route 172.16.10.10 255.255.255.255 192.168.10.15 ?


thanks

Jon Marshall Mon, 08/06/2007 - 11:42
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


No you can't because your pix will not route the traffic back out of the same interface it was received on unless your pix is running version 7.x code.


You need to add the static route to the client PC.


Jon

szajihsaniatan Mon, 08/06/2007 - 11:46
User Badges:

ill give this a try and update with results...


again, thanks for your assistance...

srue Mon, 08/06/2007 - 19:04
User Badges:
  • Blue, 1500 points or more

there is one more option if you're feeling adventurous...enable rip on the inside interface of the concentrator - rip v1 - and RRI. then enable the rip listener on xp.

Jon Marshall Mon, 08/06/2007 - 22:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

"if you're feeling adventurous..enable rip "


Now that would be adventurous !! :)

szajihsaniatan Thu, 08/09/2007 - 04:44
User Badges:

Jon Marshall...you are the man...adding the route statement worked!...I remember reading about this PIX not allowing traffic back out the same interface, but forgot all about it....


Thanks again!

Jon Marshall Thu, 08/09/2007 - 05:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

No problem. Thanks for letting us know it worked and for the ratings.


Glad to be of help.


Jon

Jon Marshall Sun, 08/12/2007 - 05:08
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

m

Actions

This Discussion