07-06-2008 06:05 AM - edited 02-21-2020 03:48 PM
Topology
10.23.26.2---\
-------------WAN-asa 5520
10.23.26.198-/
10.23.26.2 has subnet 172.16.16.0/24, asa - 192.168.10.0/24
10.23.26.2#ping ip 192.168.10.212 so 172.16.16.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.212, timeout is 2 seconds:
Packet sent with a source address of 172.16.16.1
.....
Success rate is 0 percent (0/5)
But I see both requests and reply on asa
asa# ICMP echo request from outside:172.16.16.1 to inside:192.168.10.212 ID=48 seq=0 len=72
ICMP echo reply from inside:192.168.10.212 to outside:172.16.16.1 ID=48 seq=0 len=72
But when I simply change 10.23.26.2 to 10.23.26.198 in asa - tunnel work succesfully in both directions.
I dont have any ideas, any possible solutions doesn't help: reverse-route, df, tcp adjust-mss.
Please help - where I'm wrong?
07-06-2008 02:05 PM
clear crypto isakmp sa
clear crypto ipsec sa
conf t
logg on
logg mon 7 (or logg con 7)
deb crypto ipsec
deb crypto isakmp
07-06-2008 08:20 PM
07-06-2008 10:42 PM
try to ping and
show "sh crypto ipsec sa" on both sides
07-06-2008 11:12 PM
07-07-2008 12:57 AM
looks like all ok with the VPN
are you able to ping 192.168.10.212 from 192.168.10.0/24 network?
07-07-2008 01:22 AM
>are you able to ping 192.168.10.212 from 192.168.10.0/24 network?
yes, and as I wrote in first message icmp reply arrived to asa
#debug icmp trace
ICMP echo request from outside:172.16.16.1 to inside:192.168.10.212 ID=48 seq=0 len=72
ICMP echo reply from inside:192.168.10.212 to outside:172.16.16.1 ID=48 seq=0 len=72
Logging of denied packets was enabled, and no any dropped pings at this time (only normal messages about built/teardown connection are logged).
Router doesn't received this reply.
no firewalling on it, checked with "debug ip packets" and "debug crypto engine pack".
I cannot check this now, but it looks like asa sends reply to outside interface w/o tunneling.
When remote peer is 10.23.26.198, routing of the same subnet (172.16.16.0) into tunnel works fine.
07-07-2008 01:50 AM
internal topology (asa site)
10.23.26.6/30 (outside Gig0/1 asa)-10.10.10.2/30 (inside gig 0/0 asa) <->10.10.10.1/30 (gig eth, cat3560)-192.168.10.212/24 (vlan 1, cat3560)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: