×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Can't Ping Remote VPN Users

Unanswered Question
Oct 17th, 2013
User Badges:

I apologize for the stupid question but I am so insanely rusty with ASA firewalls it's completely ridiculous! I have about 24 remote users connecting to our ASA 5510. These users pull an IP address from a DHCP scope setup on the firewall in the 172.16.16.100-172.16.16.250 range. I need to be able to ping these users machines over their VPN tunnels. I was under the impression that adding "same-security-traffic permit intra-interface" would allow this but it doesn't. Do I need an ACL for this? What would it look like? I've attached my running config. Maybe I should add that this firewalls only purpose is for these VPN users.


Thanks for the help in advance! You'll save my life!!       

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (6 ratings)
Loading.
Mariusz Bochen Fri, 10/18/2013 - 07:35
User Badges:

Hi David.


Did you try to ping them from ASA directly or from your local network?

I am able to ping my remote hosts from my local PC, but not directly from ASA even if I use internal command the patern is not recognized to match crypto map (not sure why to be honest).

I think you need specifically direct this traffic via outsite interface by creating the following routing entry:


route outside 172.16.16.0 255.255.255.0 e.f.g.h 1


same-security-traffic permit intra-interface you need as well obviously, so don't delete that line



I hope that helps.


Regards

Mariusz

mario11584 Mon, 10/21/2013 - 09:26
User Badges:

Mariusz,


Thanks for the response.


I am trying to ping them directly from the ASA. None of my internal traffic is routed to this firewall. This firewall is only for external connections to one of our internal networks. I'll directly connect my laptop to one of my unused interfaces and test it that way.


I have route outside 0.0.0.0 0.0.0.0 e.f.g.h 1 in place. Isn't that a default route and would include the traffic for 172.16.16.0/24?


-Dave

amitaaga Fri, 10/18/2013 - 08:00
User Badges:
  • Cisco Employee,

Hi David,


Looks like you want one VPN user to be able to ping another VPN user (Eg: 172.16.100.101 to ping 172.16.1.102).


Do you have split tunneling enabled on the tunnel group where the VPN users are connecting (cant check as the tunnel group config is missing in the config)?


Also, would you be able to share the output of "show cry ipsec sa" when 2 VPN users are connected to the ASA?


Regards,

Amitashwa

Marius Gunnerud Fri, 10/18/2013 - 13:13
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Are these windows machines you are trying to ping?  Before going to deep into troubleshooting the config I would disable the windows firewall on the PC and then try pinging.

mario11584 Mon, 10/21/2013 - 09:41
User Badges:

Marius,


These are Avaya VPN desktop phones.


Thanks!


Dave

mario11584 Mon, 10/21/2013 - 09:39
User Badges:

Amitashwa,


I am not trying to ping from one VPN user to another. I just want to be able to ping them from the firewall, entirely for troubleshooting purposes.


No, we don't have split tunneling enabled. The units I am trying to ping are Avaya VPN desktop phones and do not need this feature. I apologize for for not having the tunnel group config. All of our users are local to the firewall and I was trying to protect their usernames and missed that config when I copied and pasted. If you are still interested:


tunnel-group avaya type remote-access

tunnel-group avaya general-attributes

address-pool AvayaPool

default-group-policy avaya

tunnel-group avaya ipsec-attributes

pre-shared-key *****


Attached is the output you requested for two connected VPN users.


Thanks!


Dave

Santhosha Shetty Mon, 10/21/2013 - 09:51
User Badges:
  • Cisco Employee,

Hi David,


Please follow these steps:


1. Ensure the vpn users are connected successfully. Try and PING ASA inside IP address from remote user machine over vpn tunnel. Are these PING successful? If yes then proceed with below.


2. While you generate traffic destined to active remote vpn users ensure you source it from inside intrface like "ping inside "


If you  have issues with just accessing ASA inside IP addess, then  please paste "sh run nat" output here for further review and if ASA is running post 8.3  append "no-proxy-arp route-lookup" to the corresponding NAT-EXEMPT(no nat ) rule.


Are vpn users able to PING ASA inside resource including INSIDE IP address?


Thanks,


Santhosh Shetty

mario11584 Mon, 10/21/2013 - 11:23
User Badges:

Santhosha,


Thanks for the reply and help. I am unable to ping from the remote user machine. It is an Avaya VPN phone and doesn't offer an option to ping unfortunately. I do know that they respond to pings, however.


Thanks,


Dave

Santhosha Shetty Tue, 10/22/2013 - 05:28
User Badges:
  • Cisco Employee,

Hi David,


It need not be just ICMP, from avaya phone are you able to reach inside server over the tunnel(any traffic)?


Whats code is ASA running?


could you attach "sh run nat" and "sh nat details" output here along with ASA inside IP and pool ip.


Thanks,


Santhosh

Marius Gunnerud Tue, 10/22/2013 - 05:54
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Have you examined the ASA logs while pinging the AVAYA phones? Do you see any deny packets, or something that could be preventing the flow of traffic?


For the sake of testing could you issue the command management-access inside and then test to see if you get a response.


If that doesn't work could you add the command sysopt connection permit-vpn and then test.

mario11584 Wed, 10/23/2013 - 09:45
User Badges:

From the ASA CLI I pinged 172.16.16.129. While pinging that the ASDM logs (in debugging) didn't show any denied packets. It just shows the ICMP session being built then torn down. Are there better logs to look at?


I tried the other two commands without any luck.

Jouni Forss Wed, 10/23/2013 - 09:57
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I would probably try to capture the ICMP traffic on your VPN ASA local interface and see if any ICMP return messages are coming from the VPN connection


For example


access-list PHONE-ICMP-CAP permit icmp any 172.16.16.0 255.255.255.0

access-list PHONE-ICMP-CAP permit icmp 172.16.16.0 255.255.255.0 any


capture PHONE-ICMP-CAP type raw-data access-list PHONE-ICMP-CAP interface inside buffer 1000000 circular-buffer


Then try to ping some of them phones


Then check


show capture PHONE-ICMP-CAP


and see if any replys are showing past the ASA


To remove the capture use


no capture PHONE-ICMP-CAP


no access-list PHONE-ICMP-CAP permit icmp any 172.16.16.0 255.255.255.0

no access-list PHONE-ICMP-CAP permit icmp 172.16.16.0 255.255.255.0 any


- Jouni

mario11584 Wed, 10/23/2013 - 10:58
User Badges:

JouniForss,


Thanks for the detailed instructions. Here is what I got when I tried to ping two different IPs.


ciscoasa(config)# show capture PHONE-ICMP-CAP


9 packets captured


   1: 11:42:50.462225 10.128.0.2 > 172.16.16.118: icmp: echo request

   2: 11:42:50.521945 172.16.16.118 > 10.128.0.2: icmp: echo reply

   3: 11:43:03.820422 10.128.0.2 > 172.16.16.118: icmp: echo request

   4: 11:43:03.878967 172.16.16.118 > 10.128.0.2: icmp: echo reply

   5: 11:43:08.261628 10.128.0.2 > 172.16.16.118: icmp: echo request

   6: 11:43:08.322905 172.16.16.118 > 10.128.0.2: icmp: echo reply

   7: 11:43:18.773565 10.128.0.2 > 172.16.16.246: icmp: echo request

   8: 11:44:13.093012 10.128.0.2 > 172.16.16.246: icmp: echo request

   9: 11:44:45.288833 10.128.0.2 > 172.16.16.246: icmp: echo request

9 packets shown


Mariusz Bochen suggested pinging from inside the network but the network wasn't setup to allow that. I added routes internally to allow traffic to this firewall from my workstation, so I can ping from there instead of the firewall. From the above output pings 1 and 3 came from the firewall directly. But the firewall shows they timeout. Ping 5 is from my machine and it showed a reply. 7, 8, and 9 are from my machine as well but they timeout. Something must be wrong with that phone (.246). So that raises two questions. Why does the ASA show a timeout when in fact there is a response? And why is one phone confirmed connected to the VPN but not passing traffic? (I've actually confirmed a couple of phones are like this.)

andduart Wed, 10/23/2013 - 11:26
User Badges:

Hi,


I would suggest trying to connect using a PC with the client installed, we can take captures, also, please make sure to enable Nat-t as per a previous post and verify the

show crypto ipsec sa output to check encrypted and decrypted traffic


Regards,

mario11584 Wed, 10/23/2013 - 13:00
User Badges:

Hi Andres,


I was able to connect using the client installed on a PC. I was able to ping the remote IP from my local machine. I was also able to ping the PBX server (inside server) from the remote machine.


I believe NAT-T was already enabled. It doesn't show up in the configs? I ran crypto isakmp nat-traversal 30 and that shows up in the running-config (maybe because it's not a default setting). That didn't seem to resolve the issue.


The output for "show crypto ipsec sa" is attached. Traffic doesn't look like it's getting encrypted or decrypted to one of the problem users.

mario11584 Wed, 10/23/2013 - 12:41
User Badges:

Santhosha,


I'm just now learning some of the phones can connect to an inside server and some can not. They are programmed to connect to our PBX server inside of our network once they establish a VPN connection. All of them can connect to the VPN successfully but 4 of them are unable to connect to the call server once connected to the VPN. I am unaware of how to test them to see if they can connect to any other servers. I have tested to see if the owners of these phones can connect using the IPSec VPN client on their laptops, which they can, as well as ping the the call server. Is that what you are asking?


We have version 8.2 running.


interface Ethernet0/1

nameif inside

security-level 100

ip address 10.128.0.11 255.255.0.0


ip local pool AvayaPool 172.16.16.100-172.16.16.250 mask 255.255.255.0


ciscoasa# show run nat

nat (inside) 0 access-list NO_NAT


I couldn't get "show nat details" to work but I got "show nat"


NAT policies on Interface inside:

  match ip inside any management any

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip inside any management 172.16.16.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip inside any outside any

    NAT exempt

    translate_hits = 28572, untranslate_hits = 946731

  match ip inside any outside 172.16.16.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip inside any inside any

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip inside any inside 172.16.16.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

andduart Wed, 10/23/2013 - 18:10
User Badges:

Hi,

Thank u for the replies, quick questions:
Is the problem found with all your users at a time to ping from the internal network to your remote clients or with some of them?

Is the problem happening if you test this connecting with the vpn client installed on the pc?

Did you have this working before? If yes, have you made changes?

Could you send the show run tunnel-group 2: show run group-policy (with the one used)

Show ip

Show run nat

Show run all sysopt

That will help a lot

Regards,


Coukd you send the

Sent from Cisco Technical Support iPhone App

mario11584 Thu, 10/24/2013 - 08:15
User Badges:

Andres,


The original problem was that I was unable to ping any of my remote VPN phones connected to the firewall. After I setup some routes from the internal network to this firewall I was able to start pinging from the inside network and not directly from the firewall. This is thanks to the suggestions made earlier. (Reminder, this firewall's only purpose is to connect our Avaya VPN phones to it and give them access to the VLAN that our PBX server lives on. So me having access to any other interface besides the managment was not in the orginal plans.) After making that change I am able to ping most of these phones. Once I started pinging phones I realized at least 4 of them don't respond to pings. After further investigation I have found that these phones are connecting to the VPN but traffic is NOT being passed after the connection is established. Traffic is not getting encrypted and decrypted and I of course, can not ping them. NAT-T is enabled.


The problem does not occur with the VPN client. I can ping the PBX server from the VPN client just fine.


None of these users had this working before. They are all new users.


The requested output has been attached!


Thanks so much for the help!


Dave

andduart Thu, 10/24/2013 - 12:41
User Badges:

Hi,


We can make sure that the phones are connecting to the same groups, please verify this by using the show vpn-sessiondb remote (or ra depending on the version)


They should use the same policies as the others, if they look ok we will need to start with some TS for them by verifying differences in their locations, test them in a different one in case traffic is not allowed.....etc


Regards,

mario11584 Thu, 10/24/2013 - 15:14
User Badges:

Andres,


I think the issue is related to the remote users home networks.


I had the user of one of the problem phones connect the VPN phone directly to their modem (bypassing the home router) and the user was able to connect just fine. This tells me the issue is with the router and not our ASA.


At this point I'll have to dig into the home networks more and confirm this the other 3 users.


Thanks for all the help everybody! It was awesome!!

andduart Thu, 10/24/2013 - 15:20
User Badges:

Hi,


Im glad hearing that you were able to make that test! Do you have any other question maybe?

Actions

This Discussion