Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
975
Views
0
Helpful
5
Replies

IPSEC Site to Site is working but unable to ping

adecco-asa
Level 1
Level 1

‎02-21-2014 02:45 AM - edited ‎02-21-2020 07:31 PM

We are using Site to Site VPN for our branch offices.It was working fine, suddenly we found that branches LAN is not pinging from HUB.

We are using ASA 5520 at HUB and Sonicwall at TZ100 at spokes.

IPsec tunnel is up and users at spokes are working and hub is reachable from spokes. HUB LAN ip is pinging from spokes LAN ip.

Packet trace results : packet droped due to implicit deny rule for inside.

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎02-24-2014 09:36 AM

There is not much detail here to work with. But based on the description I would guess that the access lists that define the traffic to be carried through the tunnel include most user traffic but do not include these pings.

HTH

Rick

HTH

Rick
0 Helpful

hillc2401
Level 1
Level 1
In response to Richard Burts

‎02-24-2014 03:07 PM

have you modified your Crypto ACL to include icmp and not just IP?

0 Helpful

adecco-asa
Level 1
Level 1
In response to hillc2401

‎02-24-2014 07:54 PM

Hi Chris,

yes, i have modified Crypto ACL for icmp and IP. but still its not pinging from asa inside to sonicwall lan.

reverse ping is working fine.

0 Helpful

hillc2401
Level 1
Level 1
In response to adecco-asa

‎02-24-2014 08:09 PM

Would need to see your acls and config. Do you have a Nat exemption? What are your inside standard acl rules? Might be conflicting.

0 Helpful

Nathan Farrar
Level 1
Level 1
In response to Richard Burts

‎03-17-2014 07:06 PM

When debugging VPN issues like this, I typically look at the following: NAT traversal and general NAT rules - what version of code is the ASA running? Crypto ACLs Routing information Check subnet masks If worked previously, what was recently addressed/altered on the devices? Some commands that are useful (ASA side) Show IPSec sa - check that you have encrypted and decrypted traffic and that the values are close. It will show the ACL that is being used for the tunnel. Show run tunnel-group -check that you have expected settings. If there is something there you don't understand or know its purpose, look it up. Show run crypto -check that you have NAT traversal configured if necessary Use 'management access inside' and 'ping inside' for testing where "inside" is the name of the interface you are using. Seeing the config would help us here as well.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents