Cisco Support Community
Community Member

Cisco 871 router cannot ping corporate network space over IPsec vpn.

We have an 871 configured as an Ezvpn client in network extention mode. We have outbound shaping and QOS applied to the virtual-template interface to prioritize voice and all that is working great.

The problem is that from the 871 itself I cannot ping anything on our corporate network space. If I do an extended ping and use the 871 vlan1 interface IP address as the source I can ping back to the corporate network.

Here is the routing table in the 871 once the IPsec tunnel comes up:

871RT_232#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is to network is subnetted, 1 subnets

S [254/0] via, FastEthernet4

S [1/0] via, Virtual-Access2 is variably subnetted, 2 subnets, 2 masks

C is directly connected, Vlan1

S [1/0] via, Virtual-Access2 is subnetted, 1 subnets

C is directly connected, FastEthernet4

S [1/0] via, Virtual-Access2

S [1/0] via, Virtual-Access2

S [1/0] via, Virtual-Access2 is subnetted, 1 subnets

S [1/0] via

S* [254/0] via


Our main corporate network space is the network.

All the static routes that point to Virtual-Access2 are injected from the 3030 concentrator headend when the 871 brings up the IPsec tunnel.

Again the PC and IP phone plugged into the 871 can access services on the network, but the router itself cannot - unless I use the extended ping function.

I need the 871 to be able to send snmp traffic to network management consoles on the network as well as get its NTP (or SNTP) clock from that network.

Any ideas - any fancy static routing I need to do in the 871?

Community Member

Re: Cisco 871 router cannot ping corporate network space over IP

Good news and bad news. Good news is you can get SNMP, Telnet, SSH, Radius, NTP, etc... to work. The bad news is you can't get ping to work without using extended ping.

The VPN tunnel entrance is between the Fe4 and Vlan1 interface. By default the 870 series routers likes to use the Fe4 as their source interface. This won't work obviously since it knows nothing about a tunnel entrance.

The fix is pretty simple, they are

logging source [Interface]

ntp source [Interface]

ip [protocol] source [Interface]

Where protocol is SSH,Radius,Telnet, etc...

CreatePlease to create content