cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2278
Views
0
Helpful
8
Replies

Unable To ping remote host through vpn tunnel.

Rocky Villaruel
Level 1
Level 1

I am in a test environment using an ASA 55005 and a Cisoc 2611xm router. ASA is running version 8.4 and router is running is ios12.4. My VPN tunnel comes up but I am unable to ping between remote hosts. I used the ASDM and SDM for the configuration. Attached is a copy of both configs. Any help will be greatly appreciated on this issue.

Regards

Rocky

8 Replies 8

Hey Rocky,

Do you see any encaps or decaps on any end of the tunnel when you apply "show cry ips sa" ?

Wishes,

Mo.

Hey Mo, my sh cry ips sa shows the following

Crypto map tag: outside_map, seq num: 1, local addr: 172.16.1.1

      access-list outside_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.10.0/255.255.255.0/0/0)
      current_peer: 172.17.1.1

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 172.16.1.1/0, remote crypto endpt.: 172.17.1.1/0
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 488811A5
      current inbound spi : C7FB2C53

    inbound esp sas:
      spi: 0xC7FB2C53 (3355126867)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 18571264, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4373997/2892)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x3FFFFFFF
    outbound esp sas:
      spi: 0x488811A5 (1216876965)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 18571264, crypto-map: outside_map
         sa timing: remaining key lifetime (kB/sec): (4374000/2892)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

Also the debug output from the router when I do test tunnel from the SDM that display is listed below

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.04.21 23:42:42 =~=~=~=~=~=~=~=~=~=~=~=

*Mar  3 21:50:22.850: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 172.17.1.1, remote= 172.16.1.1,
    local_proxy= 10.20.10.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 10.10.10.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Mar  3 21:50:22.854: ISAKMP: local port 500, remote port 500
*Mar  3 21:50:22.854: ISAKMP: set new node 0 to QM_IDLE     
*Mar  3 21:50:22.854: insert sa successfully sa = 85F63480
*Mar  3 21:50:22.858: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Mar  3 21:50:22.858: ISAKMP:(0):found peer pre-shared key matching 172.16.1.1
*Mar  3 21:50:22.858: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Mar  3 21:50:22.858: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Mar  3 21:50:22.858: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Mar  3 21:50:22.862: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Mar  3 21:50:22.862: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Mar  3 21:50:22.862: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

*Mar  3 21:50:22.862: ISAKMP:(0): beginning Main Mode exchange
*Mar  3 21:50:22.862: ISAKMP:(0): sending packet to 172.16.1.1 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar  3 21:50:22.862: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar  3 21:50:22.870: ISAKMP (0:0): received packet from 172.16.1.1 dport 500 sport 500 Global (I) MM_NO_STATE
*Mar  3 21:50:22.874: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  3 21:50:22.874: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_I_MM2

*Mar  3 21:50:22.874: ISAKMP:(0): processing SA payload. message ID = 0
*Mar  3 21:50:22.878: ISAKMP:(0): processing vendor id payload
*Mar  3 21:50:22.878: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  3 21:50:22.878: ISAKMP:(0): vendor ID is NAT-T v2
*Mar  3 21:50:22.878: ISAKMP:(0): processing vendor id payload
*Mar  3 21:50:22.878: ISAKMP:(0): processing IKE frag vendor id payload
*Mar  3 21:50:22.878: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar  3 21:50:22.882: ISAKMP:(0):found peer pre-shared key matching 172.16.1.1
*Mar  3 21:50:22.882: ISAKMP:(0): local preshared key found
*Mar  3 21:50:22.882: ISAKMP:(0):Checking ISAKMP transform 1 against priority 1 policy
*Mar  3 21:50:22.882: ISAKMP:      encryption 3DES-CBC
*Mar  3 21:50:22.882: ISAKMP:      hash SHA
*Mar  3 21:50:22.882: ISAKMP:      default group 2
*Mar  3 21:50:22.882: ISAKMP:      auth pre-share
*Mar  3 21:50:22.882: ISAKMP:      life type in seconds
*Mar  3 21:50:22.882: ISAKMP:      life duration (VPI) of  0x0 0x1 0x51 0x80
*Mar  3 21:50:22.886: ISAKMP:(0):atts are acceptable. Next payload is 0
*Mar  3 21:50:22.886: ISAKMP:(0):Acceptable atts:actual life: 0
*Mar  3 21:50:22.886: ISAKMP:(0):Acceptable atts:life: 0
*Mar  3 21:50:22.886: ISAKMP:(0):Fill atts in sa vpi_length:4
*Mar  3 21:50:22.886: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Mar  3 21:50:22.886: ISAKMP:(0):Returning Actual lifetime: 86400
*Mar  3 21:50:22.890: ISAKMP:(0)::Started lifetime timer: 86400.

*Mar  3 21:50:22.890: ISAKMP:(0): processing vendor id payload
*Mar  3 21:50:22.890: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
*Mar  3 21:50:22.890: ISAKMP:(0): vendor ID is NAT-T v2
*Mar  3 21:50:22.890: ISAKMP:(0): processing vendor id payload
*Mar  3 21:50:22.890: ISAKMP:(0): processing IKE frag vendor id payload
*Mar  3 21:50:22.894: ISAKMP:(0):Support for IKE Fragmentation not enabled
*Mar  3 21:50:22.894: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  3 21:50:22.894: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM2

*Mar  3 21:50:22.898: ISAKMP:(0): sending packet to 172.16.1.1 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Mar  3 21:50:22.898: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Mar  3 21:50:22.902: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  3 21:50:22.902: ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

*Mar  3 21:50:22.906: ISAKMP (0:0): received packet from 172.16.1.1 dport 500 sport 500 Global (I) MM_SA_SETUP
*Mar  3 21:50:22.910: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  3 21:50:22.910: ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

*Mar  3 21:50:22.910: ISAKMP:(0): processing KE payload. message ID = 0
*Mar  3 21:50:22.910: crypto_engine: Create DH shared secret
*Mar  3 21:50:23.194: ISAKMP:(0): processing NONCE payload. message ID = 0
*Mar  3 21:50:23.198: ISAKMP:(0):found peer pre-shared key matching 172.16.1.1
*Mar  3 21:50:23.198: crypto_engine: Create IKE SA
*Mar  3 21:50:23.202: crypto engine: deleting DH phase 2 SW:5
*Mar  3 21:50:23.202: crypto_engine: Delete DH shared secret
*Mar  3 21:50:23.202: ISAKMP:(1003): processing vendor id payload
*Mar  3 21:50:23.202: ISAKMP:(1003): vendor ID is Unity
*Mar  3 21:50:23.206: ISAKMP:(1003): processing vendor id payload
*Mar  3 21:50:23.206: ISAKMP:(1003): vendor ID seems Unity/DPD but major 139 mismatch
*Mar  3 21:50:23.206: ISAKMP:(1003): vendor ID is XAUTH
*Mar  3 21:50:23.206: ISAKMP:(1003): processing vendor id payload
*Mar  3 21:50:23.206: ISAKMP:(1003): speaking to another IOS box!
*Mar  3 21:50:23.206: ISAKMP:(1003): processing vendor id payload
*Mar  3 21:50:23.210: ISAKMP:(1003):vendor ID seems Unity/DPD but hash mismatch
*Mar  3 21:50:23.210: ISAKMP:received payload type 20
*Mar  3 21:50:23.210: ISAKMP:received payload type 20
*Mar  3 21:50:23.210: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  3 21:50:23.210: ISAKMP:(1003):Old State = IKE_I_MM4  New State = IKE_I_MM4

*Mar  3 21:50:23.214: ISAKMP:(1003):Send initial contact
*Mar  3 21:50:23.214: ISAKMP:(1003):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Mar  3 21:50:23.214: ISAKMP (0:1003): ID payload
next-payload : 8
type         : 1
address      : 172.17.1.1
protocol     : 17
port         : 500
length       : 12
*Mar  3 21:50:23.218: ISAKMP:(1003):Total payload length: 12
*Mar  3 21:50:23.218: crypto_engine: Generate IKE hash
*Mar  3 21:50:23.218: crypto_engine: Encrypt IKE packet
*Mar  3 21:50:23.222: ISAKMP:(1003): sending packet to 172.16.1.1 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Mar  3 21:50:23.222: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Mar  3 21:50:23.222: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  3 21:50:23.222: ISAKMP:(1003):Old State = IKE_I_MM4  New State = IKE_I_MM5

*Mar  3 21:50:23.226: ISAKMP (0:1003): received packet from 172.16.1.1 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Mar  3 21:50:23.230: crypto_engine: Decrypt IKE packet
*Mar  3 21:50:23.230: ISAKMP:(1003): processing ID payload. message ID = 0
*Mar  3 21:50:23.230: ISAKMP (0:1003): ID payload
next-payload : 8
type         : 1
address      : 172.16.1.1
protocol     : 17
port         : 0
length       : 12
*Mar  3 21:50:23.234: ISAKMP:(1003): processing HASH payload. message ID = 0
*Mar  3 21:50:23.234: crypto_engine: Generate IKE hash
*Mar  3 21:50:23.234: ISAKMP:received payload type 17
*Mar  3 21:50:23.234: ISAKMP:(1003): processing vendor id payload
*Mar  3 21:50:23.234: ISAKMP:(1003): vendor ID is DPD
*Mar  3 21:50:23.238: ISAKMP:(1003):SA authentication status:
authenticated
*Mar  3 21:50:23.238: ISAKMP:(1003):SA has been authenticated with 172.16.1.1
*Mar  3 21:50:23.238: ISAKMP:(1003):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar  3 21:50:23.238: ISAKMP:(1003):Old State = IKE_I_MM5  New State = IKE_I_MM6

*Mar  3 21:50:23.242: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Mar  3 21:50:23.242: ISAKMP:(1003):Old State = IKE_I_MM6  New State = IKE_I_MM6

*Mar  3 21:50:23.246: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Mar  3 21:50:23.246: ISAKMP:(1003):Old State = IKE_I_MM6  New State = IKE_P1_COMPLETE

*Mar  3 21:50:23.250: ISAKMP:(1003):beginning Quick Mode exchange, M-ID of 1735601099
*Mar  3 21:50:23.250: ISAKMP:(1003):QM Initiator gets spi
*Mar  3 21:50:23.250: crypto_engine: Generate IKE hash
*Mar  3 21:50:23.254: crypto_engine: Encrypt IKE packet
*Mar  3 21:50:23.254: ISAKMP:(1003): sending packet to 172.16.1.1 my_port 500 peer_port 500 (I) QM_IDLE     
*Mar  3 21:50:23.254: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Mar  3 21:50:23.258: ISAKMP:(1003):Node 1735601099, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Mar  3 21:50:23.258: ISAKMP:(1003):Old State = IKE_QM_READY  New State = IKE_QM_I_QM1
*Mar  3 21:50:23.258: ISAKMP:(1003):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Mar  3 21:50:23.262: ISAKMP:(1003):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

*Mar  3 21:50:23.266: ISAKMP (0:1003): received packet from 172.16.1.1 dport 500 sport 500 Global (I) QM_IDLE     
*Mar  3 21:50:23.266: crypto_engine: Decrypt IKE packet
*Mar  3 21:50:23.266: crypto_engine: Generate IKE hash
*Mar  3 21:50:23.270: ISAKMP:(1003): processing HASH payload. message ID = 1735601099
*Mar  3 21:50:23.270: ISAKMP:(1003): processing SA payload. message ID = 1735601099
*Mar  3 21:50:23.270: ISAKMP:(1003):Checking IPSec proposal 1
*Mar  3 21:50:23.270: ISAKMP: transform 1, ESP_3DES
*Mar  3 21:50:23.270: ISAKMP:   attributes in transform:
*Mar  3 21:50:23.270: ISAKMP:      SA life type in seconds
*Mar  3 21:50:23.270: ISAKMP:      SA life duration (basic) of 3600
*Mar  3 21:50:23.270: ISAKMP:      SA life type in kilobytes
*Mar  3 21:50:23.275: ISAKMP:      SA life duration (VPI) of  0x0 0x46 0x50 0x0
*Mar  3 21:50:23.275: ISAKMP:      encaps is 1 (Tunnel)
*Mar  3 21:50:23.275: ISAKMP:      authenticator is HMAC-SHA
*Mar  3 21:50:23.275: ISAKMP:(1003):atts are acceptable.
*Mar  3 21:50:23.275: ISAKMP:(1003): processing NONCE payload. message ID = 1735601099
*Mar  3 21:50:23.279: ISAKMP:(1003): processing ID payload. message ID = 1735601099
*Mar  3 21:50:23.279: ISAKMP:(1003): processing ID payload. message ID = 1735601099
*Mar  3 21:50:23.279: crypto_engine: Generate IKE hash
*Mar  3 21:50:23.279: crypto_engine: Generate IKE QM keys
*Mar  3 21:50:23.283: crypto_engine: Create IPSec SA (by keys)
*Mar  3 21:50:23.283: crypto_engine: Generate IKE QM keys
*Mar  3 21:50:23.287: crypto_engine: Create IPSec SA (by keys)
*Mar  3 21:50:23.287: ISAKMP:(1003): Creating IPSec SAs
*Mar  3 21:50:23.287:         inbound SA from 172.16.1.1 to 172.17.1.1 (f/i)  0/ 0
        (proxy 10.10.10.0 to 10.20.10.0)
*Mar  3 21:50:23.287:         has spi 0x488811A5 and conn_id 0
*Mar  3 21:50:23.287:         lifetime of 3600 seconds
*Mar  3 21:50:23.291:         lifetime of 4608000 kilobytes
*Mar  3 21:50:23.291:         outbound SA from 172.17.1.1 to 172.16.1.1 (f/i) 0/0
        (proxy 10.20.10.0 to 10.10.10.0)
*Mar  3 21:50:23.291:         has spi  0xC7FB2C53 and conn_id 0
*Mar  3 21:50:23.291:         lifetime of 3600 seconds
*Mar  3 21:50:23.291:         lifetime of 4608000 kilobytes
*Mar  3 21:50:23.291: crypto_engine: Encrypt IKE packet
*Mar  3 21:50:23.295: ISAKMP:(1003): sending packet to 172.16.1.1 my_port 500 peer_port 500 (I) QM_IDLE     
*Mar  3 21:50:23.295: ISAKMP:(1003):Sending an IKE IPv4 Packet.
*Mar  3 21:50:23.295: ISAKMP:(1003):deleting node 1735601099 error FALSE reason "No Error"
*Mar  3 21:50:23.299: ISAKMP:(1003):Node 1735601099, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar  3 21:50:23.299: ISAKMP:(1003):Old State = IKE_QM_I_QM1  New State = IKE_QM_PHASE2_COMPLETE
*Mar  3 21:50:23.299: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 172.16.1.1
*Mar  3 21:50:23.303: IPSEC(policy_db_add_ident): src 10.20.10.0, dest 10.10.10.0, dest_port 0

*Mar  3 21:50:23.303: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.17.1.1, sa_proto= 50,
    sa_spi= 0x488811A5(1216876965),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 5
*Mar  3 21:50:23.303: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.16.1.1, sa_proto= 50,
    sa_spi= 0xC7FB2C53(3355126867),
    sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 6
*Mar  3 21:50:23.307: crypto engine: updating MTU size of IPSec SA SW:6
*Mar  3 21:50:23.307: crypto_engine: Set IPSec MTU
*Mar  3 21:50:23.307: IPSEC(update_current_outbound_sa): updated peer 172.16.1.1 current outbound sa to SPI C7FB2C53
*Mar  3 21:51:13.297: ISAKMP:(1003):purging node 1735601099

Ok, so the problem as I can see that the ASA is not encryption traffic for some reason .... can I know the host IP for both source and destination which you are using for the test? We need to set up some captures on the inside of your ASA to check if we see traffic in both ways.

I saw that you have the command "management-access inside" applied on the ASA, have you tried to ping the ASA's inside interface IP? if no can you try and let me know what counters are increasing in the "show cry ips sa" ?

/Mo.

Hey Mo, when I trying to ping my inside interface there is no counters increasing in the show cry ips sa.

My external on the ASA is 172.16.1.1/24

My Internal on the ASA is 10.10.10.1/24

Internal host on the ASA is 10.10.10.2

Router External is 172.17.1.1/24

Router Internal is 10.20.10.1/24

Internal Host is 10.20.10.3/24

I am not familiar with setting up the captures so your help will be appreciated.

Regards

Rocky

From host 10.10.10.2 i cannot ping 172.16.1.1 and the captures do not caputer anything when I ping. From the ASA i also cannot ping host 10.10.10.2

Hi ,

ASA doenst allow ping from Inside segment to outside interface IP and Vise versa. To ping from Router Inside to ASA inside, you have enable management interface as inside interface under Device Management setup in Cisco ASA. Pls also check if you enable ICMP inspection under Global Service Policy in ASA. Also take note on your NAT exempt statement.

Regards, Nagis

You cannot ping from an inside host to the outside IP address as NAGISWAREN2 said as this is denied by design. But you should be able to ping the ASA inside interface and ping from the ASA back to the host as they should be able to reach each other. Can you try capturing that traffic?

Just apply this capture on the ASA:

capture cap interface inside match icmp any any

Then ping from the host to the ASA, and ping back from the ASA to the host, after that issue the command "show cap cap" and let us know the outputs.

NAGISWAREN2 for the management-access, you are correct and this is already applied in the provided config.

For the NAT part, there are no NAT statements on the config so he should be OK without any NAT exemption.

Hey Mo, I have just been busy at work so I have not had time to try and play with the equipment. I will update you as I get the time.

Regards

Rocky

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: