cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
819
Views
0
Helpful
5
Replies

Cannot ping through PIX IPSec tunnel

cmonks
Level 1
Level 1

I have a PIX setup with several IPSec site-to-site tunnels. We added a second NIC, connected to a new ISP. We have begun moving VPNs over to the new NIC, and after moving them, we are unable to ping from one private network to another. This worked fine on the old ISP/NIC. I have tried allowing ICMP through the ACLs with no change.

What else can I look for that could be prohibiting pings through the VPN tunnels?

5 Replies 5

ajagadee
Cisco Employee
Cisco Employee

Are you saying your tunnel is up and you are not able to pass traffic across the tunnel. If so, I would check the routing and NAT 0 commands.

Can you post a copy of the configuration along with outputs from "show cry is sa" and "show crypto ipses sa" when you are having connectivity issues across the tunnel.

Regards,

Arul

** Please rate all helpful posts **

fashour
Level 1
Level 1

Is it just ICMP not working between network? Do you see the same behavior when using tcp fro example? If yes, check your routing and since you cannot have multiple default routes on different interfaces, you might need to put some static routes to reach the other side on the appropriate interfaces.

Another point to bring, if you have a crypto map applied on each one of the interfaces for the same peer, traffic might be encrypted on the wrong interface.

P.S. Please rate this post and indicate resolved if applies.

Yes, sorry for not including more information. The tunnel is fine, TCP traffic passing fine. Everything is working BUT ICMP through the tunnel.

Default route is setup for one ISP, static routes added for VPN tunnels on second ISP. We simply setup a static route, setup a new crypto map on the new interface, and the VPN fired right up. Just ICMP won't work.

What I would do:

clear the encrypt and decrypt counters for the SA.

start pinging without having other traffic through and monitor the encrypts and decrypts on both sides. If the initiating side has encrypts constantly increasing and the decrypts are nots then the other side should have decrypts increasing without the encrypts. That would indicate a problem on the other side such as filtering or routing usually. If the icmp does not bring up the tunnel and the encrypts do not increase on the initiating side, check the following:

crypto acls should not have port. All ip to ip.

no acl blocking icmp

also try enabling the icmp inspection on your policy map.

make sure that icmp traffic is reaching the ASA initiator by doing captures.

-------------

P.S. Please rate this post and indicate resolved when applies.

It looks like everything started working after compltely switching over to the new ISP. I think it was solved when i created and applied a dynamic nat policy to the new interface.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: