I have a PIX setup with several IPSec site-to-site tunnels. We added a second NIC, connected to a new ISP. We have begun moving VPNs over to the new NIC, and after moving them, we are unable to ping from one private network to another. This worked fine on the old ISP/NIC. I have tried allowing ICMP through the ACLs with no change.
What else can I look for that could be prohibiting pings through the VPN tunnels?
Is it just ICMP not working between network? Do you see the same behavior when using tcp fro example? If yes, check your routing and since you cannot have multiple default routes on different interfaces, you might need to put some static routes to reach the other side on the appropriate interfaces.
Another point to bring, if you have a crypto map applied on each one of the interfaces for the same peer, traffic might be encrypted on the wrong interface.
P.S. Please rate this post and indicate resolved if applies.
Yes, sorry for not including more information. The tunnel is fine, TCP traffic passing fine. Everything is working BUT ICMP through the tunnel.
Default route is setup for one ISP, static routes added for VPN tunnels on second ISP. We simply setup a static route, setup a new crypto map on the new interface, and the VPN fired right up. Just ICMP won't work.
clear the encrypt and decrypt counters for the SA.
start pinging without having other traffic through and monitor the encrypts and decrypts on both sides. If the initiating side has encrypts constantly increasing and the decrypts are nots then the other side should have decrypts increasing without the encrypts. That would indicate a problem on the other side such as filtering or routing usually. If the icmp does not bring up the tunnel and the encrypts do not increase on the initiating side, check the following:
crypto acls should not have port. All ip to ip.
no acl blocking icmp
also try enabling the icmp inspection on your policy map.
make sure that icmp traffic is reaching the ASA initiator by doing captures.
P.S. Please rate this post and indicate resolved when applies.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :