Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Can't Ping Remote VPN Users

I apologize for the stupid question but I am so insanely rusty with ASA firewalls it's completely ridiculous! I have about 24 remote users connecting to our ASA 5510. These users pull an IP address from a DHCP scope setup on the firewall in the 172.16.16.100-172.16.16.250 range. I need to be able to ping these users machines over their VPN tunnels. I was under the impression that adding "same-security-traffic permit intra-interface" would allow this but it doesn't. Do I need an ACL for this? What would it look like? I've attached my running config. Maybe I should add that this firewalls only purpose is for these VPN users.

Thanks for the help in advance! You'll save my life!!       

Everyone's tags (4)
21 REPLIES
New Member

Can't Ping Remote VPN Users

Hi David.

Did you try to ping them from ASA directly or from your local network?

I am able to ping my remote hosts from my local PC, but not directly from ASA even if I use internal command the patern is not recognized to match crypto map (not sure why to be honest).

I think you need specifically direct this traffic via outsite interface by creating the following routing entry:

route outside 172.16.16.0 255.255.255.0 e.f.g.h 1

same-security-traffic permit intra-interface you need as well obviously, so don't delete that line

I hope that helps.

Regards

Mariusz

New Member

Can't Ping Remote VPN Users

Mariusz,

Thanks for the response.

I am trying to ping them directly from the ASA. None of my internal traffic is routed to this firewall. This firewall is only for external connections to one of our internal networks. I'll directly connect my laptop to one of my unused interfaces and test it that way.

I have route outside 0.0.0.0 0.0.0.0 e.f.g.h 1 in place. Isn't that a default route and would include the traffic for 172.16.16.0/24?

-Dave

Cisco Employee

Can't Ping Remote VPN Users

Hi David,

Looks like you want one VPN user to be able to ping another VPN user (Eg: 172.16.100.101 to ping 172.16.1.102).

Do you have split tunneling enabled on the tunnel group where the VPN users are connecting (cant check as the tunnel group config is missing in the config)?

Also, would you be able to share the output of "show cry ipsec sa" when 2 VPN users are connected to the ASA?

Regards,

Amitashwa

VIP Green

Can't Ping Remote VPN Users

Are these windows machines you are trying to ping?  Before going to deep into troubleshooting the config I would disable the windows firewall on the PC and then try pinging.

--

Please remember to rate and select a correct answer
New Member

Re: Can't Ping Remote VPN Users

Marius,

These are Avaya VPN desktop phones.

Thanks!

Dave

New Member

Re: Can't Ping Remote VPN Users

Amitashwa,

I am not trying to ping from one VPN user to another. I just want to be able to ping them from the firewall, entirely for troubleshooting purposes.

No, we don't have split tunneling enabled. The units I am trying to ping are Avaya VPN desktop phones and do not need this feature. I apologize for for not having the tunnel group config. All of our users are local to the firewall and I was trying to protect their usernames and missed that config when I copied and pasted. If you are still interested:

tunnel-group avaya type remote-access

tunnel-group avaya general-attributes

address-pool AvayaPool

default-group-policy avaya

tunnel-group avaya ipsec-attributes

pre-shared-key *****

Attached is the output you requested for two connected VPN users.

Thanks!

Dave

Cisco Employee

Can't Ping Remote VPN Users

Hi David,

Please follow these steps:

1. Ensure the vpn users are connected successfully. Try and PING ASA inside IP address from remote user machine over vpn tunnel. Are these PING successful? If yes then proceed with below.

2. While you generate traffic destined to active remote vpn users ensure you source it from inside intrface like "ping inside "

If you  have issues with just accessing ASA inside IP addess, then  please paste "sh run nat" output here for further review and if ASA is running post 8.3  append "no-proxy-arp route-lookup" to the corresponding NAT-EXEMPT(no nat ) rule.

Are vpn users able to PING ASA inside resource including INSIDE IP address?

Thanks,

Santhosh Shetty

New Member

Can't Ping Remote VPN Users

Santhosha,

Thanks for the reply and help. I am unable to ping from the remote user machine. It is an Avaya VPN phone and doesn't offer an option to ping unfortunately. I do know that they respond to pings, however.

Thanks,

Dave

Cisco Employee

Can't Ping Remote VPN Users

Hi David,

It need not be just ICMP, from avaya phone are you able to reach inside server over the tunnel(any traffic)?

Whats code is ASA running?

could you attach "sh run nat" and "sh nat details" output here along with ASA inside IP and pool ip.

Thanks,

Santhosh

VIP Green

Can't Ping Remote VPN Users

Have you examined the ASA logs while pinging the AVAYA phones? Do you see any deny packets, or something that could be preventing the flow of traffic?

For the sake of testing could you issue the command management-access inside and then test to see if you get a response.

If that doesn't work could you add the command sysopt connection permit-vpn and then test.

--

Please remember to rate and select a correct answer
New Member

Can't Ping Remote VPN Users

From the ASA CLI I pinged 172.16.16.129. While pinging that the ASDM logs (in debugging) didn't show any denied packets. It just shows the ICMP session being built then torn down. Are there better logs to look at?

I tried the other two commands without any luck.

Super Bronze

Can't Ping Remote VPN Users

Hi,

I would probably try to capture the ICMP traffic on your VPN ASA local interface and see if any ICMP return messages are coming from the VPN connection

For example

access-list PHONE-ICMP-CAP permit icmp any 172.16.16.0 255.255.255.0

access-list PHONE-ICMP-CAP permit icmp 172.16.16.0 255.255.255.0 any

capture PHONE-ICMP-CAP type raw-data access-list PHONE-ICMP-CAP interface inside buffer 1000000 circular-buffer

Then try to ping some of them phones

Then check

show capture PHONE-ICMP-CAP

and see if any replys are showing past the ASA

To remove the capture use

no capture PHONE-ICMP-CAP

no access-list PHONE-ICMP-CAP permit icmp any 172.16.16.0 255.255.255.0

no access-list PHONE-ICMP-CAP permit icmp 172.16.16.0 255.255.255.0 any

- Jouni

New Member

Can't Ping Remote VPN Users

JouniForss,

Thanks for the detailed instructions. Here is what I got when I tried to ping two different IPs.

ciscoasa(config)# show capture PHONE-ICMP-CAP

9 packets captured

   1: 11:42:50.462225 10.128.0.2 > 172.16.16.118: icmp: echo request

   2: 11:42:50.521945 172.16.16.118 > 10.128.0.2: icmp: echo reply

   3: 11:43:03.820422 10.128.0.2 > 172.16.16.118: icmp: echo request

   4: 11:43:03.878967 172.16.16.118 > 10.128.0.2: icmp: echo reply

   5: 11:43:08.261628 10.128.0.2 > 172.16.16.118: icmp: echo request

   6: 11:43:08.322905 172.16.16.118 > 10.128.0.2: icmp: echo reply

   7: 11:43:18.773565 10.128.0.2 > 172.16.16.246: icmp: echo request

   8: 11:44:13.093012 10.128.0.2 > 172.16.16.246: icmp: echo request

   9: 11:44:45.288833 10.128.0.2 > 172.16.16.246: icmp: echo request

9 packets shown

Mariusz Bochen suggested pinging from inside the network but the network wasn't setup to allow that. I added routes internally to allow traffic to this firewall from my workstation, so I can ping from there instead of the firewall. From the above output pings 1 and 3 came from the firewall directly. But the firewall shows they timeout. Ping 5 is from my machine and it showed a reply. 7, 8, and 9 are from my machine as well but they timeout. Something must be wrong with that phone (.246). So that raises two questions. Why does the ASA show a timeout when in fact there is a response? And why is one phone confirmed connected to the VPN but not passing traffic? (I've actually confirmed a couple of phones are like this.)

New Member

Can't Ping Remote VPN Users

Hi,

I would suggest trying to connect using a PC with the client installed, we can take captures, also, please make sure to enable Nat-t as per a previous post and verify the

show crypto ipsec sa output to check encrypted and decrypted traffic

Regards,

New Member

Re: Can't Ping Remote VPN Users

Hi Andres,

I was able to connect using the client installed on a PC. I was able to ping the remote IP from my local machine. I was also able to ping the PBX server (inside server) from the remote machine.

I believe NAT-T was already enabled. It doesn't show up in the configs? I ran crypto isakmp nat-traversal 30 and that shows up in the running-config (maybe because it's not a default setting). That didn't seem to resolve the issue.

The output for "show crypto ipsec sa" is attached. Traffic doesn't look like it's getting encrypted or decrypted to one of the problem users.

New Member

Can't Ping Remote VPN Users

Santhosha,

I'm just now learning some of the phones can connect to an inside server and some can not. They are programmed to connect to our PBX server inside of our network once they establish a VPN connection. All of them can connect to the VPN successfully but 4 of them are unable to connect to the call server once connected to the VPN. I am unaware of how to test them to see if they can connect to any other servers. I have tested to see if the owners of these phones can connect using the IPSec VPN client on their laptops, which they can, as well as ping the the call server. Is that what you are asking?

We have version 8.2 running.

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.128.0.11 255.255.0.0

ip local pool AvayaPool 172.16.16.100-172.16.16.250 mask 255.255.255.0

ciscoasa# show run nat

nat (inside) 0 access-list NO_NAT

I couldn't get "show nat details" to work but I got "show nat"

NAT policies on Interface inside:

  match ip inside any management any

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip inside any management 172.16.16.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip inside any outside any

    NAT exempt

    translate_hits = 28572, untranslate_hits = 946731

  match ip inside any outside 172.16.16.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip inside any inside any

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

  match ip inside any inside 172.16.16.0 255.255.255.0

    NAT exempt

    translate_hits = 0, untranslate_hits = 0

New Member

Re: Can't Ping Remote VPN Users

Hi,

Thank u for the replies, quick questions:
Is the problem found with all your users at a time to ping from the internal network to your remote clients or with some of them?

Is the problem happening if you test this connecting with the vpn client installed on the pc?

Did you have this working before? If yes, have you made changes?

Could you send the show run tunnel-group 2: show run group-policy (with the one used)

Show ip

Show run nat

Show run all sysopt

That will help a lot

Regards,


Coukd you send the

Sent from Cisco Technical Support iPhone App

New Member

Re: Can't Ping Remote VPN Users

Andres,

The original problem was that I was unable to ping any of my remote VPN phones connected to the firewall. After I setup some routes from the internal network to this firewall I was able to start pinging from the inside network and not directly from the firewall. This is thanks to the suggestions made earlier. (Reminder, this firewall's only purpose is to connect our Avaya VPN phones to it and give them access to the VLAN that our PBX server lives on. So me having access to any other interface besides the managment was not in the orginal plans.) After making that change I am able to ping most of these phones. Once I started pinging phones I realized at least 4 of them don't respond to pings. After further investigation I have found that these phones are connecting to the VPN but traffic is NOT being passed after the connection is established. Traffic is not getting encrypted and decrypted and I of course, can not ping them. NAT-T is enabled.

The problem does not occur with the VPN client. I can ping the PBX server from the VPN client just fine.

None of these users had this working before. They are all new users.

The requested output has been attached!

Thanks so much for the help!

Dave

New Member

Re: Can't Ping Remote VPN Users

Hi,

We can make sure that the phones are connecting to the same groups, please verify this by using the show vpn-sessiondb remote (or ra depending on the version)

They should use the same policies as the others, if they look ok we will need to start with some TS for them by verifying differences in their locations, test them in a different one in case traffic is not allowed.....etc

Regards,

New Member

Re: Can't Ping Remote VPN Users

Andres,

I think the issue is related to the remote users home networks.

I had the user of one of the problem phones connect the VPN phone directly to their modem (bypassing the home router) and the user was able to connect just fine. This tells me the issue is with the router and not our ASA.

At this point I'll have to dig into the home networks more and confirm this the other 3 users.

Thanks for all the help everybody! It was awesome!!

New Member

Re: Can't Ping Remote VPN Users

Hi,

Im glad hearing that you were able to make that test! Do you have any other question maybe?

4599
Views
25
Helpful
21
Replies
CreatePlease to create content