2 site-site VPNS, PING behaves differently

Unanswered Question
Oct 23rd, 2009
User Badges:

Site-Site VPNs on an ASA5510, trying to ping between the Local Hosts. One VPN the PING gets reply, the other it doesn't.

Where it works the Log Viewer shows me traffic btween LocalHost/512 and LocalHost/0 - using port 512? Where it does not work I see traffic between LocalHost/1 and LocalHost/0 - using port 1? I think some unwanted translation, or something, is leading the traffic astray, and these port(?) differnences are pointing to it. Any ideas? thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mcmurphytoo Fri, 10/23/2009 - 06:01
User Badges:

I have one addition to the problem statement. On the working VPN I get an inbound connection from the remote end's Local Host to my end's Local Host, as well as outbound connection the other way. The non-working VPN I get the outbound connection from my end to the far end, but never the inbound connection from the far end to the near end.

andrewswanson Mon, 10/26/2009 - 06:16
User Badges:
  • Silver, 250 points or more

are the local host pc's using firewalls? check that the far end host's firewall allows icmp.



mcmurphytoo Mon, 10/26/2009 - 10:29
User Badges:

I don't control the far end local host. An institution supports many client vpn's at that end, their support says it's ready for me to PING. I ping my local host (locally, of course, not from the tunnel) successfully, I've disabled its firewall long enough to test the VPN. What my ASA5510 firewall log says I'm missing is a "Built Inbound ICMP connection for foreign\0 \ global/1 \ local/1". I get the "Built outbound ICMP connection for foreign/0 \ global/1 \ local\1", and the "Teardown ICMP connection for foreign/0 \ global/1 \ local/1"

On my other VPN, where PING works, I the global and local addresses are always showing global/512 and local/512 instead of global/1 and local/1.


This Discussion