10-23-2009 05:34 AM - edited 02-21-2020 03:45 AM
Site-Site VPNs on an ASA5510, trying to ping between the Local Hosts. One VPN the PING gets reply, the other it doesn't.
Where it works the Log Viewer shows me traffic btween LocalHost/512 and LocalHost/0 - using port 512? Where it does not work I see traffic between LocalHost/1 and LocalHost/0 - using port 1? I think some unwanted translation, or something, is leading the traffic astray, and these port(?) differnences are pointing to it. Any ideas? thanks.
10-23-2009 06:01 AM
I have one addition to the problem statement. On the working VPN I get an inbound connection from the remote end's Local Host to my end's Local Host, as well as outbound connection the other way. The non-working VPN I get the outbound connection from my end to the far end, but never the inbound connection from the far end to the near end.
10-26-2009 06:16 AM
are the local host pc's using firewalls? check that the far end host's firewall allows icmp.
hth
andy
10-26-2009 10:29 AM
I don't control the far end local host. An institution supports many client vpn's at that end, their support says it's ready for me to PING. I ping my local host (locally, of course, not from the tunnel) successfully, I've disabled its firewall long enough to test the VPN. What my ASA5510 firewall log says I'm missing is a "Built Inbound ICMP connection for foreign\0 \ global/1 \ local/1". I get the "Built outbound ICMP connection for foreign/0 \ global/1 \ local\1", and the "Teardown ICMP connection for foreign/0 \ global/1 \ local/1"
On my other VPN, where PING works, I the global and local addresses are always showing global/512 and local/512 instead of global/1 and local/1.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: