Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

IPsec clients can ping remote networks but not local network

Hi, I am setting a new branch office, IPsec L2L tunnel is set between branch ASA 5505 and HQ ASA 5520. HQ ASA is the gateway to software IPsec clients and ezvpn clients operating in network extension mode. HQ (and software IPsec clients) is using address space, while ezvpn clients and this branch office will be using address space. Branch office uses exclusively.

I also configured IPsec RA on branch office, the RA pool is, full mesh IP connectivity is achieved except that IPsec clients from branch office can not ping hosts in branch office but can ping anywhere else. Specifically, branch office IPsec client is getting ip address and there is a live host in branch office with ip address in inside VLAN, debug capture on ASA5505 of ping from shows that received echo request from and ASA received echo reply from inside VLAN.

This really puzzles me, since ASA5505 has IPsec SA for remote access client, and is in the routing table, ASA should simply look at security policy database, and sent the echo reply to the right IPsec peer.

I do have a rather loose access-list defined for L2L ipsec tunnel,

access-list traffic_to_HQ extended permit ip

access-list traffic_to_HQ extended permit ip

I am wondering maybe the echo-reply is being sent to L2L tunnel because the traffic matches the access-list. But due to longest match rule, IPsec should not use L2L SA to send a packet destined to to L2L tunnel, correct? is there any way to know where the echo reply packets go? any other configuration I might have missed?

Thanks a lot.

New Member

Re: IPsec clients can ping remote networks but not local network

Attaching configuration

CreatePlease to create content