VPN-Tunnel - Unable to ping the secondary ASA

Unanswered Question
Mar 4th, 2010

Hi,

We've got a small monitoring Issue.

When we're connected to the primary (active) ASA over a VPN-tunnel, we're unable to ping/telnet/snmp/... the secondery (standby) ASA.

Inside the site (without using a vpn-connection) we're able to ping it!

We're running:

2x ASA 5520 VPN Plus license @  version 7.2(4)

2x ASA 5540 VPN Plus license @  version 7.2(4)

Any Idea what is the cause, or how this could be fixed?

Thanks in advance.

Sven Schlingloff

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Thu, 03/04/2010 - 12:40

Hi,

Are you connecting with a the Cisco VPN client?

If this is so, you can only PING the inside interface of the ASA if you have the ''management-access inside'' command (assuming that the inside interface is the interface where the interesting traffic resides).

Are you trying to reach the outside or inside IP of the ASA via the VPN tunnel?

Do you have the configs sync between both ASAs?

Have you tried switching the failover, to see if the behavior continues?

Federico.

schlingloff Mon, 03/08/2010 - 02:03

Thank you for that fast response.

****

Are you connecting with a the Cisco VPN client?

*****

We are using the Cisco VPN Client on Windows Client.

We do have some Linux clients which show the same issue.

The monitoring of our devices is done via a LAN to LAN -tunnel and theres also the same issue. (As far as I know the other side, also uses an ASA)

****

If this is so, you can only PING the inside interface of the ASA if you have the ''management-access inside'' command (assuming that the inside interface is the interface where the interesting traffic resides).

****

OK! the command "management-access '' is in place. So that's the cause we can't ping the other ASA?

Do we have to disable that command to ping/telnet/snmp the secondary ASA? Any good reasons why that wouldn't be a good idea.

May there be a way around?

*******

Are you trying to reach the outside or inside IP of the ASA via the VPN tunnel?

********

I'm trying to reach the inside IP of the ASA


***

Do you have the configs sync between both ASAs?

***

Our ASAs are in an active/standby setup. Failover configurations are in place.

Please correct me if I'm wrong.

If I understood that correctly all commands are replicated from the active to the standby unit.

***

Have you tried switching the failover, to see if the behavior continues?

***

I haven't tried that yet.

Thanks for any further feedback.

Sven Schlingloff

Federico Coto F... Mon, 03/08/2010 - 07:33

Hi,

If the command ''management access-inside'' is in place, then you should be able to PING
the inside interface.
The configs should automatically synchronize (then both ASAs should have exactly the same config
but the IPs).
Can you PING everything on the inside network (the problem is just with the inside IP of the
secondary ASA?)
Seems like there's no connectivity at all with the secondary ASA's inside IP.
Is the inside IP of both ASAs on the same VLAN connected to the same switch?
You can enable the Packet Tracer utility or the capture commands
to check if the traffic is making it to the secondary ASA.
Let me know if you need assistance with this.

Federico.

schlingloff Tue, 03/09/2010 - 03:58

*********

Can you PING everything on the inside network (the problem is just with the inside IP of the
secondary ASA?)

*******

Yes i can ping everything on the inside network, except the secondary ASA. I can even ping the passive ASA on another site, when my tunnel isn't terminating on its primary device.As soon as I initiate a vpn-connection to that primary device i cannot ping that passive one.

*****

Is the inside IP of both ASAs on the same VLAN connected to the same switch?

****

Yes the inside (management) IPs are uns the same VLAN.

*****

You can enable the Packet Tracer utility or the capture commands
to check if the traffic is making it to the secondary ASA.

****

Packet Tracer seems to be confused with the vpn connection. Please see the attached screenshot. Everything else looks fine so far.

A Realtime Log Viewer output is in the other post i created.

Thanks for your help

Alex Pfeil Mon, 03/08/2010 - 07:49

This is real easy to troubleshoot.

All you have to do is login to the ASDM and look at the log.

Create the VPN connection that you are using and can't ping with and get the ip address that you have with the connection.

In the ASA log type in the IP address of the VPN connection.

Start a constant ping from the established VPN connection

The ASA will give you the pertinent information you need assuming that you are getting to the ASA.

It sounds to me like the issue you are having is that when you are on the regular network you are pinging the management interface, and when you VPN, you are coming from a different interface.  Looking at the log will make the issue really easy to fix.

Thanks,

Alex Pfeil

schlingloff Tue, 03/09/2010 - 03:48

Ok and here we have the strange part:

Inside the log of the active device i can see

1) Built inbound ICMP connection for faddr a.a.a.a/1 gaddr b.b.b.b/0 laddr b.b.b.b/0 (username)

2) Teardown ICMP connection for faddr a.a.a.a/1 gaddr b.b.b.b/0 laddr b.b.b.b/0 (username)

where a.a.a.a is the ip address which the client get from the vpn-pool

where b.b.b.b is the target ip; in this case the ip of the passive ASA

(for further reference 1) is %PIX|ASA-6-302020 and 2) is %PIX|ASA-6-302021 ; http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1280803)

BUT there is nothing inside the log of the passive device!

(I enabled debugging for the logging level)

Thanks for your help

Alex Pfeil Tue, 03/09/2010 - 05:58

It seems to me like this is a routing issue.  On the default gateway of the vpn client, add a static route to the passive ASA and try it again.

For example,

if your IP address is 192.168.2.4

and your gateway is 192.168.2.1

On 192.168.2.1, add a static route to the passive ASA.

This is why I think that this is the case.

When you ping the passive ASA your ICMP packets are being routed back to the Active ASA.

One more thing you can check is that When you successfully ping the passive device from your local machine, check the logs on the passive ASA and verify you see the traffic.

Actions

This Discussion