Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

L2L tunnel issue

hello...

I created a L2L tunnel b/w a VPN 3005 to Juniper NetScreen ...the tunnel is up but we both are unable to ping the allowed ip...another thing, i only see rx traffic from him but no tx traffic from me...suspecting keep alives...

this is the second tunnel i built on this VPN 3005 box, this first has no issues with what i am experiencing now...

can any assist on this issue....thanks in advance

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: L2L tunnel issue

Hi

Okay, that is your problem. When the 192.168.10.10 pc tries to send traffic back to the 172.16.10.10 PC the traffic first goes to the Pix. But because you are running v6.x of the pix it is not allowed to send the traffic back out the same interface it came in on and it needs to do this to send the traffic to the VPN 3005.

With pix v7.x you can do this but a solution to your problem without having to upgrade would be to add a static route on your 192.168.10.10 PC saying to get to 172.16.10.10 go to 192.168.10.15.

HTH

Jon

14 REPLIES
Gold

Re: L2L tunnel issue

could this be an internal routing issue on your side? It sounds like traffic from your side isn't even making it across the tunnel, while his is.. right?

Clear the tunnel, and try to initiate from your side to see if traffic you originate can bring it up.

Community Member

Re: L2L tunnel issue

im not sure what may be blocking it...i attached a drawing of the l2l tunnel design...the tunnel is supposed to allow the 172 network to reach 192 network....i do have a PIX attached to the same network as the 192, could that be blocking traffic?...i check for documentation but couldnt find any...

thanks in advance

Community Member

Re: L2L tunnel issue

sorry, here is the attachment..

Hall of Fame Super Blue

Re: L2L tunnel issue

Hi

What is the default gateway of the PC 192.168.10.10.

Also what version of software are you running on the pix.

Jon

Community Member

Re: L2L tunnel issue

the dg is .20....the version of the pix is 6.3...

Hall of Fame Super Blue

Re: L2L tunnel issue

Hi

Okay, that is your problem. When the 192.168.10.10 pc tries to send traffic back to the 172.16.10.10 PC the traffic first goes to the Pix. But because you are running v6.x of the pix it is not allowed to send the traffic back out the same interface it came in on and it needs to do this to send the traffic to the VPN 3005.

With pix v7.x you can do this but a solution to your problem without having to upgrade would be to add a static route on your 192.168.10.10 PC saying to get to 172.16.10.10 go to 192.168.10.15.

HTH

Jon

Community Member

Re: L2L tunnel issue

ok, that make sense...can i just add a static route to the pix stating: route 172.16.10.10 255.255.255.255 192.168.10.15 ?

thanks

Hall of Fame Super Blue

Re: L2L tunnel issue

Hi

No you can't because your pix will not route the traffic back out of the same interface it was received on unless your pix is running version 7.x code.

You need to add the static route to the client PC.

Jon

Community Member

Re: L2L tunnel issue

ill give this a try and update with results...

again, thanks for your assistance...

Gold

Re: L2L tunnel issue

there is one more option if you're feeling adventurous...enable rip on the inside interface of the concentrator - rip v1 - and RRI. then enable the rip listener on xp.

Hall of Fame Super Blue

Re: L2L tunnel issue

"if you're feeling adventurous..enable rip "

Now that would be adventurous !! :)

Community Member

Re: L2L tunnel issue

Jon Marshall...you are the man...adding the route statement worked!...I remember reading about this PIX not allowing traffic back out the same interface, but forgot all about it....

Thanks again!

Hall of Fame Super Blue

Re: L2L tunnel issue

No problem. Thanks for letting us know it worked and for the ratings.

Glad to be of help.

Jon

Hall of Fame Super Blue

Re: L2L tunnel issue

m

132
Views
5
Helpful
14
Replies
CreatePlease to create content