Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

IPSEC Site to Site is working but unable to ping

We are using Site to Site VPN for our branch offices.It was working fine, suddenly we found that branches LAN is not pinging from HUB.

We are using ASA 5520 at HUB and Sonicwall at TZ100 at spokes.

IPsec tunnel is up and users at spokes are working and hub is reachable from spokes. HUB LAN ip is pinging from spokes LAN ip.

Packet trace results : packet droped due to implicit deny rule for inside.

Everyone's tags (3)
5 REPLIES
Hall of Fame Super Silver

IPSEC Site to Site is working but unable to ping

There is not much detail here to work with. But based on the description I would guess that the access lists that define the traffic to be carried through the tunnel include most user traffic but do not include these pings.

HTH

Rick

New Member

IPSEC Site to Site is working but unable to ping

have you modified your Crypto ACL to include icmp and not just IP?

New Member

IPSEC Site to Site is working but unable to ping

Hi Chris,

yes, i have modified Crypto ACL for icmp and IP. but still its not pinging from asa inside to sonicwall lan.

reverse ping is working fine.

New Member

IPSEC Site to Site is working but unable to ping

Would need to see your acls and config. Do you have a Nat exemption? What are your inside standard acl rules? Might be conflicting.

New Member

When debugging VPN issues

When debugging VPN issues like this, I typically look at the following: NAT traversal and general NAT rules - what version of code is the ASA running? Crypto ACLs Routing information Check subnet masks If worked previously, what was recently addressed/altered on the devices? Some commands that are useful (ASA side) Show IPSec sa - check that you have encrypted and decrypted traffic and that the values are close. It will show the ACL that is being used for the tunnel. Show run tunnel-group -check that you have expected settings. If there is something there you don't understand or know its purpose, look it up. Show run crypto -check that you have NAT traversal configured if necessary Use 'management access inside' and 'ping inside' for testing where "inside" is the name of the interface you are using. Seeing the config would help us here as well.
403
Views
0
Helpful
5
Replies
CreatePlease to create content