Weird behaviour of traffic forwarding on tunnel.

Unanswered Question
Sep 29th, 2008
User Badges:

Hi, we have the following problem. We have many tunnel connections with our customers. The custormer side is a cisco 871. And our side is a Cisco Vpn concentrator. The configs are identical for every customer, as we deliver a 871 to every customer when we start giving them the service. Now, the tunnel is always up. No ipsec or isakmp errors. But when I ping the only host on their side, it does the following:

64 bytes from icmp_seq=183 ttl=62 time=61.2 ms

64 bytes from icmp_seq=184 ttl=62 time=61.9 ms

64 bytes from icmp_seq=185 ttl=62 time=61.1 ms

64 bytes from icmp_seq=186 ttl=62 time=62.2 ms

64 bytes from icmp_seq=187 ttl=62 time=62.6 ms

64 bytes from icmp_seq=188 ttl=62 time=60.7 ms

64 bytes from icmp_seq=189 ttl=62 time=60.9 ms

64 bytes from icmp_seq=190 ttl=62 time=62.7 ms

64 bytes from icmp_seq=191 ttl=62 time=60.5 ms

64 bytes from icmp_seq=192 ttl=62 time=59.8 ms

64 bytes from icmp_seq=193 ttl=62 time=71.9 ms

64 bytes from icmp_seq=194 ttl=62 time=60.5 ms

64 bytes from icmp_seq=195 ttl=62 time=59.9 ms

64 bytes from icmp_seq=196 ttl=62 time=63.1 ms

From icmp_seq=197 Redirect Network(New nexthop:

64 bytes from icmp_seq=197 ttl=62 time=73.0 ms

From icmp_seq=201 Destination Host Unreachable

From icmp_seq=202 Destination Host Unreachable

From icmp_seq=204 Destination Host Unreachable

From icmp_seq=206 Destination Host Unreachable

So the icmp sequence starts sending and receiving no problem. Then, it suddenly stops receiving data like there is no route to the host / network and it tries to get out by our internet gateway. I find it very strange as they say the ADSL connection they hired it's of a good quality, and we are not nating anything. They are not nating on their side also. Well they nat but they bypass our networks so they can reach the other side of the tunnel. Do you know what could be happening ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
godzilla0 Mon, 09/29/2008 - 04:26
User Badges:

3.11 is the Vpn concentrator.

3.250 is the firewall that goes to the inet.

The host on our network that is being accessed has the 3.11 as the gateway. So no redirection of any kind is done. It should work.

godzilla0 Mon, 09/29/2008 - 06:31
User Badges:

I'm sorry but I thought you were about to go further with your answer. I know it's being redirected, the packet wants to go to through the inet gateway because some issue. I want to know why. Thank you anyways.

Well the reason is:- is sending an ICMP Redirect, informing that the best way to get to the remote end is via

So I guess you need to figure out why which is your VPN concentrator right? Why is this device sending the ICMP redirect?

What device is the VPN conc? What version of code?

singhsaju Mon, 09/29/2008 - 08:54
User Badges:
  • Silver, 250 points or more

Can you also post the routing table of the VPN Concentrator? and the routing table 3.250 Firewall?


This Discussion