cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6866
Views
0
Helpful
9
Replies

VPN-Tunnel - Unable to ping the secondary ASA

schlingloff
Level 1
Level 1

Hi,

We've got a small monitoring Issue.

When we're connected to the primary (active) ASA over a VPN-tunnel, we're unable to ping/telnet/snmp/... the secondery (standby) ASA.

Inside the site (without using a vpn-connection) we're able to ping it!

We're running:

2x ASA 5520 VPN Plus license @  version 7.2(4)

2x ASA 5540 VPN Plus license @  version 7.2(4)

Any Idea what is the cause, or how this could be fixed?

Thanks in advance.

Sven Schlingloff

9 Replies 9

Hi,

Are you connecting with a the Cisco VPN client?

If this is so, you can only PING the inside interface of the ASA if you have the ''management-access inside'' command (assuming that the inside interface is the interface where the interesting traffic resides).

Are you trying to reach the outside or inside IP of the ASA via the VPN tunnel?

Do you have the configs sync between both ASAs?

Have you tried switching the failover, to see if the behavior continues?

Federico.

Thank you for that fast response.

****

Are you connecting with a the Cisco VPN client?

*****

We are using the Cisco VPN Client on Windows Client.

We do have some Linux clients which show the same issue.

The monitoring of our devices is done via a LAN to LAN -tunnel and theres also the same issue. (As far as I know the other side, also uses an ASA)

****

If this is so, you can only PING the inside interface of the ASA if you have the ''management-access inside'' command (assuming that the inside interface is the interface where the interesting traffic resides).

****

OK! the command "management-access '' is in place. So that's the cause we can't ping the other ASA?

Do we have to disable that command to ping/telnet/snmp the secondary ASA? Any good reasons why that wouldn't be a good idea.

May there be a way around?

*******

Are you trying to reach the outside or inside IP of the ASA via the VPN tunnel?

********

I'm trying to reach the inside IP of the ASA


***

Do you have the configs sync between both ASAs?

***

Our ASAs are in an active/standby setup. Failover configurations are in place.

Please correct me if I'm wrong.

If I understood that correctly all commands are replicated from the active to the standby unit.

***

Have you tried switching the failover, to see if the behavior continues?

***

I haven't tried that yet.

Thanks for any further feedback.

Sven Schlingloff

Hi,

If the command ''management access-inside'' is in place, then you should be able to PING
the inside interface.
The configs should automatically synchronize (then both ASAs should have exactly the same config
but the IPs).
Can you PING everything on the inside network (the problem is just with the inside IP of the
secondary ASA?)
Seems like there's no connectivity at all with the secondary ASA's inside IP.
Is the inside IP of both ASAs on the same VLAN connected to the same switch?
You can enable the Packet Tracer utility or the capture commands
to check if the traffic is making it to the secondary ASA.
Let me know if you need assistance with this.

Federico.

*********

Can you PING everything on the inside network (the problem is just with the inside IP of the
secondary ASA?)

*******

Yes i can ping everything on the inside network, except the secondary ASA. I can even ping the passive ASA on another site, when my tunnel isn't terminating on its primary device.As soon as I initiate a vpn-connection to that primary device i cannot ping that passive one.

*****

Is the inside IP of both ASAs on the same VLAN connected to the same switch?

****

Yes the inside (management) IPs are uns the same VLAN.

*****

You can enable the Packet Tracer utility or the capture commands
to check if the traffic is making it to the secondary ASA.

****

Packet Tracer seems to be confused with the vpn connection. Please see the attached screenshot. Everything else looks fine so far.

A Realtime Log Viewer output is in the other post i created.

Thanks for your help

Alex Pfeil
Level 7
Level 7

This is real easy to troubleshoot.

All you have to do is login to the ASDM and look at the log.

Create the VPN connection that you are using and can't ping with and get the ip address that you have with the connection.

In the ASA log type in the IP address of the VPN connection.

Start a constant ping from the established VPN connection

The ASA will give you the pertinent information you need assuming that you are getting to the ASA.

It sounds to me like the issue you are having is that when you are on the regular network you are pinging the management interface, and when you VPN, you are coming from a different interface.  Looking at the log will make the issue really easy to fix.

Thanks,

Alex Pfeil

Ok and here we have the strange part:

Inside the log of the active device i can see

1) Built inbound ICMP connection for faddr a.a.a.a/1 gaddr b.b.b.b/0 laddr b.b.b.b/0 (username)

2) Teardown ICMP connection for faddr a.a.a.a/1 gaddr b.b.b.b/0 laddr b.b.b.b/0 (username)

where a.a.a.a is the ip address which the client get from the vpn-pool

where b.b.b.b is the target ip; in this case the ip of the passive ASA

(for further reference 1) is %PIX|ASA-6-302020 and 2) is %PIX|ASA-6-302021 ; http://www.cisco.com/en/US/docs/security/asa/asa72/system/message/logmsgs.html#wp1280803)

BUT there is nothing inside the log of the passive device!

(I enabled debugging for the logging level)

Thanks for your help

It seems to me like this is a routing issue.  On the default gateway of the vpn client, add a static route to the passive ASA and try it again.

For example,

if your IP address is 192.168.2.4

and your gateway is 192.168.2.1

On 192.168.2.1, add a static route to the passive ASA.

This is why I think that this is the case.

When you ping the passive ASA your ICMP packets are being routed back to the Active ASA.

One more thing you can check is that When you successfully ping the passive device from your local machine, check the logs on the passive ASA and verify you see the traffic.

Brad_Shawh
Level 1
Level 1

I have exact same issue, every site that is connected through VPN has issue with reachability of 'Standby IP' of Inside internet, it never works. 

 

I am wondering if anyone figured this out yet?

ppalmerjr
Level 1
Level 1

Pretty sure I have this exact issue.  I think the key is that the S2S VPN tunnel is currently terminated on the primary ASA only.  

 

Synopsis of issue.

I have active/standby ASA's and I'm terminating a S2S VPN there to one of my sites.  These ASA's need to reach back over the tunnel to reach their RADIUS authentication server.  The primary can reach it fine...but the standby cannot.

 

1.  All communication from the primary ASA back over the VPN to the remote site work just fine.  This is because the S2S VPN is currently terminated at this active ASA.

2.  Any communication from the standby ASA (which doesn't currently have a VPN terminating on it.... as it's in standby) cannot reach the other side of the S2S VPN.

 

Anyone know a work around for this....other than allowing the RADIUS traffic outside of the VPN and static NATing the addresses in play?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: