Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
413
Views
10
Helpful
4
Replies

VPN comes up, but cannot ping

richmorrow624
Level 1
Level 1

‎08-14-2006 12:47 PM - edited ‎02-21-2020 02:34 PM

I have the following situation:

A Cisco 2800 series router configured for a VPN to a remote site.

The remote site is working with a 3000series concentrator.

I was working with the remote end network guy today. The tunnel is negotiated successfully, but I cannot get traffic to flow, I cannot ping remote site inside interface.

I can see the sa is connected to peer, but QM_Idle.

I can see the access-lists matching packets, but cannot transfer packets.

I have cleared the SA's

debugs look like negotiation is not an issue.

ICMP debug does not show anything when remote end pings my inside interface

trace shows second hop like this:

2. 7.3.0.9 !N !N !N

Does anyone see any glaring omissions?

Labels:
0 Helpful
4 Replies 4

Wilson Samuel
Level 7
Level 7

‎08-15-2006 01:05 AM

Hi,

If the VPN is up, that means that Crypto Access-List is ok, and shouldn't have any problems. However I would insist you to check with Extended Ping Utility as whenever you use the normal Ping, the External Interface's IP Address is used as source and it never ends up using the IPSec Connection.

Alternatively, please try the tracert from a PC and you might get better clues.

Kind Regards,

Wilson Samuel

richmorrow624
Level 1
Level 1
In response to Wilson Samuel

‎08-15-2006 03:17 PM

Thanks for the reply.

Does it matter at all that this is a Netscreen Firewall?

I used the same config on the Cisco router and set up a PIX501 as the remote end and everything works.

Is there anything I need to do differently for that?

Or maybe the other end guy needs to do something differently?

As I said the same Netscreen works with a Cisco 3005 Concentrator.

0 Helpful

Wilson Samuel
Level 7
Level 7
In response to richmorrow624

‎08-16-2006 12:50 AM

Hi,

If you are using any open technology like IPSec it shouldn't be any problem across any platform, however as a word of pre-caution you must cross check that everything is exactly as a mirror replica of each other.

Since on both the sites there are two different products, I shall request you to take a copy of both the configs and tally it mannually and you would come across any issues.

Kind Regards,

Wilson Samuel

PS: Please rate, if it helps

richmorrow624
Level 1
Level 1
In response to Wilson Samuel

‎08-16-2006 04:29 AM

Thanks for the reply,

here is an update to what I am seeing:

It looks like both setups are doing the same thing.

The tunnel is actually up and working on the PIX (probably was up and working on the Netscreen also),

From the PIX end to the 2800 series router I can ping the router interface, I don't have anything connected to the inside interface so I have only tried to ping the router interface from the PIX end and it works.

From the 2800 router end, I can not ping the PIX inside interface, but I can ping a workstation on the network the inside interface sits on(PIX is 10.10.10.1/24, workstation is 10.10.10.5/24).

On the Netscreen, it looks like it was doing the same thing as far as the inside interface goes, I didn't try anything beyond that, but the tunnel was up, but I could not ping the Netscreen interface.

Why would that be?

0 Helpful
Customers Also Viewed These Support Documents