cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12675
Views
0
Helpful
29
Replies

VPN Tunnel up, But cannot ping across it??

jtmullis82
Level 1
Level 1

i have a L2L VPN tunnel from a 5520 to a 5510 with Cisco 2941's on each end of the ASA's. I cannot ping from my local 2941 to the remote 2941. The tunnel doesnt block ICMP  and i have mutiple other sites configured with the same equipment working. i have setup a debug icmp trace and i can see on both ASA's when the ping is initiated it makes it to the ASA it is connected to but never gets across. Please help this is the last step in finishing my project....

29 Replies 29

brettborschel
Level 1
Level 1

Is your traffic included in the NAT-0 ACL?

doesnt have one. the setup is the 5520 carries individual VPN's to multiple 5510's. there is a default access-list 100 extended permit ip any any. then i build access lists based on the cryptomaps to each individual 5510. i have the same exact configuration on other tunnels on the 5520 going to different 5510's with 2941's on the opposite side and it works fine. from what i can tell the configuration for this one is exactly the same yet no ping response. when i ping from my local 2941 to the local 5520 this is the icmp debug print

YPG-ASA5520-1(config)# ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=0 len=72
ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=1 len=72
ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=2 len=72
ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=3 len=72
ICMP echo request from inside:10.10.10.4 to outside:10.10.50.2 ID=40 seq=4 len=72

so it sees the request coming in and it shows it sending the request to the outside interface. but no respone. i get the same thing from the opposite end. so the 2941 to local ASA seems to be getting the request it just doesnt seem to be getting across the tunnel, or able to find its way back.

Is it possible for you to post the configuration for both sides & interesting traffic definations ?

Manish

the one i am having a issue with is the outside_3_cryptomap going to peer 140.32.132.73. from the local side i have a 2941 with a 10.10.10.0 /24 address and on the remote end i have a 2941 with 10.10.50.0 /24 ip address. i should be able to ping from local side to remote sides  10.10.50.2 address but i cannot.

~~ LOCAL END !!

YPG-ASA5520-1# show run
: Saved
:
ASA Version 8.2(1)
!
hostname YPG-ASA5520-1
names
name 10.1.25.18 test
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 6.7.0.13 255.255.254.0
!
interface GigabitEthernet0/1
nameif internal
security-level 0
ip address 10.0.2.166 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list 100 extended permit ip any any
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.1.27.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.10.20.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.1.27.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.30.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.1.26.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.1.25.0 255.255.255.0 10.10.30.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.1.26.0 255.255.255.0
access-list outside_3_cryptomap extended permit ip 10.10.10.0 255.255.255.0 10.10.50.0 255.255.255.0
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu outside 1522
mtu internal 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 6.7.0.1 1
route inside 10.1.25.0 255.255.255.0 10.10.10.5 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.2.0 255.255.255.0 inside
http 10.0.2.0 255.255.255.0 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 140.32.167.58
crypto map outside_map 1 set transform-set ESP-DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 140.32.171.2
crypto map outside_map 2 set transform-set ESP-DES-SHA

crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer 140.32.132.73
crypto map outside_map 3 set transform-set ESP-DES-SHA

crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

tunnel-group 140.32.167.58 type ipsec-l2l
tunnel-group 140.32.167.58 ipsec-attributes
pre-shared-key *
tunnel-group 140.32.171.2 type ipsec-l2l
tunnel-group 140.32.171.2 ipsec-attributes
pre-shared-key *
tunnel-group 131.120.38.2 type ipsec-l2l
tunnel-group 131.120.38.2 ipsec-attributes
pre-shared-key *
tunnel-group 140.32.132.73 type ipsec-l2l
tunnel-group 140.32.132.73 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:e1d9cd4c9ae0fbe643d031975c48cbd0
: end
YPG-ASA5520-1#

~~~ REMOTE END ~~~

NPS-ASA5510# show run
: Saved
:
ASA Version 8.2(1)
!
hostname NPS-ASA5510
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 140.32.132.73 255.255.255.224
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
nameif internal
security-level 0
ip address 192.168.103.2 255.255.255.0
!
interface Ethernet0/3
nameif inside
security-level 100
ip address 10.10.50.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
ftp mode passive
access-list 100 extended permit ip any any
access-list outside_1_cryptomap extended permit ip 140.32.132.0 255.255.255.0 6.7.0.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.40.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 10.10.50.0 255.255.255.0 10.10.10.0 255.255.255.0
pager lines 24
logging console debugging
logging asdm informational
mtu outside 1500
mtu internal 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
access-group 100 in interface outside
route outside 0.0.0.0 0.0.0.0 140.32.132.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.103.0 255.255.255.0 internal
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 10 match address outside_1_cryptomap
crypto map outside_map 10 set peer 6.7.0.13
crypto map outside_map 10 set transform-set ESP-DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn

tunnel-group 6.7.0.13 type ipsec-l2l
tunnel-group 6.7.0.13 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:a073c919957e60ffea64717b4e8e4097
: end

I would use packet tracer to troubleshoot this. Its much more accurate at finding the problem. You can simulate the traffic and watch what phase it phails on as it passes through the firewall. This will identify if it is a NAT problem or ACL typo or what ever.

I found a good little intro demo in case your not familiar with it:

http://www.cisco.com/E-Learning/bulk/public/celc/QLM_ASA_72_01_Final/course_skin.html

I'm thinking the problem is at the new remote site as the other remotes are all working.

This line stands out as being not correct.

access-list outside_1_cryptomap extended permit ip 140.32.132.0 255.255.255.0 6.7.0.0 255.255.255.0

Probably causing your FW to encrypt the traffic it needs to send ISAKMP in clear text with. Try removing that line.

ok i erased that line and also the one like it on the remote end. still no success. the 2941 on the

remote side has a default route of 10.10.50.1 which is the inside interface of the ASA. it seems like the ASA isnt routing the request to the 2941?

I only saw that line on the remote site. Are you saying it was configured on the hub router too?

Try using the packet tracer. That will tell us right off the bat where our problem lies.

ok i initiated the packet tracker, i have never done this before but here is how i set it up. for interface type i selected inside and then for source IP i put the IP of the 2941 from my local side. for the destination i put the IP of the 2941 on the remote side. i selected ICMP and hit start. when it was finished it said for the result " the packet is allowed" but when i initiate this ping from the actual 2941. it does not work.

for the remote ASA the ASDM is not setup so i do not know how to do the packet tracker from that side.

hmmm, strange...

The command from the CLI is: packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port detailed

Give that a shot for the other office.

ASA's and PIX are a bit buggy with VPN. Try reloading the remote firewall. I know this sounds stupid, but I have pulled my hair out before for hours and had a reload do the trick.

ok i will give it a shot, is it true that you cannot SSH or TELNET from a ASA to another router?

that is true. They also will not respond to pings on their outside

interfaces by default and block traceroutes.

no success with the reload. this really has me baffled. im going to have the techs on the remote side send me a printout of the 2941 configuration. i am pretty sure their default route is set to the ASA but i should double check.....

default routes on the 2941's are set. do not understand why i cannot ping across my VPN. anyone have any ideas or solutions to test?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: