Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

515E DES VPN connnectivity issue


I am completely lost on this one.

I have two sites that talk to each other over a DES vpn. One site on a MPLS cloud in the UK talking to a site in Luxemburg. The traffic is routed from the MPLS to my PIX on my site then encyrpted to Lux and vice versa. Both end VPN devices are 515E's running 6.3(3) versions. My client is running a 2003 exchange which is replicating over this link, but experienced very odd connectivity which I shall explain with what we see in the pings.

UK machine -

Lux machine -

RDP from UK to Lux trying to ping UK=no responce.

Then ping from UK to Lux=responce

Then Ping from Lux to UK=responce

All rules allow any talking between the two sites. No firewalls are on the machines. They are only running sophos anitvirus.

Any ideas? I am out!



New Member

Re: 515E DES VPN connnectivity issue

I seem to have found the cause although it is rather odd.

The internal network local to the PIX, 172.18.*.* has none of these issues. It is only when you traverse this network to get to the MPLS that causes this rather odd problem. Initiating the ping from Lux to 172.18.*.* works with only a simple protect IP rule on either end of the link IE on both the 515E's. To get it to work so that Lux can ping the UK site without the UK site pinging Lux first I have had to specifically add the protect ICMP back to Lux and also add a NAT exemption rule in the same direction. Not touching the config in LUX. This I could understand if the PIX was natting, but the PIX this end does not nat a thing. Everything should be left as original anyway. I am trying to find an expination for this but not having a lot of joy. Why has this only starting happening resently? It never did before about 2 months ago. Why does the ping work fine once you have pinged a machine in LUX? The tunnel I imagine must already be up but surely the data going across with still adhear to all the rules both NAT and Protect on the way to Lux?

Anyway, its working for now. If anyone has any ideas or documentation that may help that woudl be grand!