Several Devices Will Not Communicate Across the VPN Tunnel

mhaskett74 · ‎01-31-2012

I have run into an interesting issue. We have a new site-to-site configuration comprised of two ASAs (a 5505 at the remote site and a 5510 locally). The site-to-site tunnel is up and appears to be working fine, with the exception of one thing; two identified IP addresses on the remote end cannot seem to communicate across the tunnel.

For example: address 192.168.3.81 is able to see resources at our facility, but 192.168.3.82 (an HP Laserjet P2055dn) cannot. However, 192.168.3.82 is pingable from the inside interface of the remote ASA and doesn't appear to be having any other connectivity issues. Also, the default gateway of this device appears to be set properly. When checking the real-time log viewer, I'm not seeing any error messages, it just appears as if the .82 device is not routing to the remote ASA, but strangely enough the local ASA's logs do seem to show communication with .82. (See the below logs.)

When we attempt to ping the 192.168.3.82 address from a local PC (10.10.10.10) that participates in the VPN tunnel, we see the following:

Local ASA

6|Jan 31 2012|16:03:53|302021|192.168.3.82|0|10.10.10.10|512|Teardown ICMP connection for faddr 192.168.3.82/0 gaddr 10.10.10.10/512 laddr 10.10.10.10/512

6|Jan 31 2012|16:03:51|302020|10.10.10.10|512|192.168.3.82|0|Built outbound ICMP connection for faddr 192.168.3.82/0 gaddr 10.10.10.10/512 laddr 10.10.10.10/512

Remote ASA

6|Jan 31 2012|16:03:53|302021|10.10.10.10|512|192.168.3.82|0|Teardown ICMP connection for faddr 10.10.10.10/512 gaddr 192.168.3.82/0 laddr 192.168.3.82/0

6|Jan 31 2012|16:03:51|302020|10.10.10.10|512|192.168.3.82|0|Built inbound ICMP connection for faddr 10.10.10.10/512 gaddr 192.168.3.82/0 laddr 192.168.3.82/0

We can successfully ping 192.168.3.81 from the same local workstation we see the following on the remote ASA :

6|Jan 31 2012|16:03:38|302021|10.10.10.10|512|192.168.3.81|0|Teardown ICMP connection for faddr 10.10.10.10/512 gaddr 192.168.3.81/0 laddr 192.168.3.81/0

6|Jan 31 2012|16:03:36|302020|192.168.3.81|0|10.10.10.10|512|Built outbound ICMP connection for faddr 10.10.10.10/512 gaddr 192.168.3.81/0 laddr 192.168.3.81/0

6|Jan 31 2012|16:03:36|302020|10.10.10.10|512|192.168.3.81|0|Built inbound ICMP connection for faddr 10.10.10.10/512 gaddr 192.168.3.81/0 laddr 192.168.3.81/0

We have no IP address overlapping and neither ASA's logs show any errors.

Unfortunately, we don't have access to the remote site's router configurations, but we've been assured that the issue is not on their end.

Has anyone seen anything like this before?

Julio Carvajal · ‎01-31-2012

Hello Michael,

So basically they are saying its your ASA the one dropping the connections:

Capture asp type asp-drop all

sh capture asp | include 192.168.3.82

You will get the answer to if its this ASA dropping those packets, but as long as I can see both ASAs can see the ICMP connection.

You cannot ping 192.168.3.82 from your site right?

Next thing would be to create some captures to see what is going on.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mhaskett74 · ‎02-15-2012

As it turns out it looks to be a communications issue with a particular model of HP printer and everything else works perfectly. We have since turned this issue over to the remote site to look into as our tunnel configuration is correct.

So, we are considering this issue closed.

Thank you, Julio for your assistance.

Julio Carvajal · ‎02-15-2012

Hello Michael,

Great to hear everything is working fine now.

Please mark the question answered so future users can learn from this discussion.

Regards,

Do rate all the helpful posts!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC