Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cannot ping thru Tunnel

I am successfully connecting remotely to the Public Address of my Client's PIX 515 using the Cisco VPN client.

While I can establish connectivity, I cannot ping anything on either side of the tunnel.

I also get the following output when executing a "sho ipsec sa":

bhipixop2# sho ipsec sa

interface: outside

Crypto map tag: map1, local addr. 206.248.224.2

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (172.16.1.50/255.255.255.255/0/0)

current_peer: 24.x.x.48:288

dynamic allocated peer ip: 172.16.1.50

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 206.x.x.2, remote crypto endpt.: 24.x.x.48

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: eb406a71

inbound esp sas:

spi: 0x65868930(1703315760)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4608000/28602)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xeb406a71(3946867313)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 1, crypto map: map1

sa timing: remaining key lifetime (k/sec): (4608000/28593)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

bhipixop2# sho ipsec sa

I question this output because of the fact that there are no encaps or decaps, and no encrypts or decrypts.

When I execute a "show isa sa" it shows the two endpoints with "QM_IDLE" and 1(one) tunnel created.

Any ideas?

Thx

Any ideas what may be wrong?

4 REPLIES
Gold

Re: Cannot ping thru Tunnel

It looks like NAT traversal issue

could you try command

pix(config)#crypto isakmp nat-traversal 20

M.

Hope that helps rate if it does

New Member

Re: Cannot ping thru Tunnel

I implemented the NAT traversal command. It does not seem to have resolved the issue, I am not getting any replies when I issue a ping from either side.

New Member

Re: Cannot ping thru Tunnel

Hi,

Try the following command which permits all decrypted ipsec traffic to go through without the need for acl inspection:

sysopt connection permit-ipsec

This will at least eliminate any potential issues with your acl.

Regards

Pradeep

Hall of Fame Super Silver

Re: Cannot ping thru Tunnel

Kevin

Does your client have other people who connect via VPN to their PIX (and does it work ok for them) or is this something that they set up for you and there are not other users on this type of connection?

It seems to me to be much more likely an issue with configuration of the PIX than to be an issue with your VPN client. Can you provide any details of how the PIX is set up?

HTH

Rick

115
Views
8
Helpful
4
Replies
CreatePlease to create content