topic As the outside IP address of in Network Security

Unable to ping the Remote IP across IPSEC

mahesh18 — Tue, 12 Mar 2019 07:24:59 GMT

Hi Everyone,

IPSEC tunnel is established between Cisco and Palo Alto.

From Palo Alto i can ping the Remote IP of the Cisco ASA but from Cisco ASA i can not ping Remote IP of Palo Alto

Logs from ASA

Feb 28 2016 13:40:22: %ASA-6-302020: Built outbound ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:24: %ASA-6-302021: Teardown ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:27: %ASA-6-302020: Built outbound ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:29: %ASA-6-302021: Teardown ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:32: %ASA-6-302020: Built outbound ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:34: %ASA-6-302021: Teardown ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1

pri/act/ASA1# show crypto ipsec sa
interface: outside
Crypto map tag: CRYPTO-MAP, seq num: 1, local addr: 68.145.154.173

access-list VPN-INTERESTING-TRAFFIC extended permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0 log
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 184.71.241.62

#pkts encaps: 144, #pkts encrypt: 144, #pkts digest: 144
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 144, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 68.145.154.173/0, remote crypto endpt.: 184.71.241.62/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A92FD619
current inbound spi : F5573103

inbound esp sas:
spi: 0xF5573103 (4116132099)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 1323008, crypto-map: CRYPTO-MAP
sa timing: remaining key lifetime (kB/sec): (3915000/85660)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xA92FD619 (2838484505)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 1323008, crypto-map: CRYPTO-MAP
sa timing: remaining key lifetime (kB/sec): (3914991/85660)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Logs From Palo Alto where ping is working to the Remote Cisco IP

64 bytes from 10.0.0.4: icmp_seq=131 ttl=255 time=21.7 ms
64 bytes from 10.0.0.4: icmp_seq=132 ttl=255 time=18.7 ms
64 bytes from 10.0.0.4: icmp_seq=133 ttl=255 time=17.9 ms
64 bytes from 10.0.0.4: icmp_seq=134 ttl=255 time=21.0 ms
^C
--- 10.0.0.4 ping statistics ---
134 packets transmitted, 134 received, 0% packet loss, time 134401ms
rtt min/avg/max/mdev = 17.354/20.349/33.935/2.623 ms
admin@Palo_alto_test

As the outside IP address of

Philip D'Ath — Sun, 28 Feb 2016 21:10:02 GMT

As the outside IP address of the ASA is not in the encryption domain you wont be able to do this. You'll need to test this with a machine behind the ASA.

Actually now i am testing on

mahesh18 — Sun, 28 Feb 2016 21:13:40 GMT

i am testing on machine behind the ASA.

These are your stats:

Philip D'Ath — Sun, 28 Feb 2016 21:19:23 GMT

These are your stats:

#pkts encaps: 144, #pkts encrypt: 144, #pkts digest: 144
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

It says you are sending and encrypting packets, but not receiving anything back.

I am checking the other side

mahesh18 — Sun, 28 Feb 2016 21:31:41 GMT

I am checking the other side now.

Hi Phil,

mahesh18 — Mon, 29 Feb 2016 00:17:31 GMT

Hi Phil,

Do i need to specfic on ASA the static route for remote subnet across the tunnel?

Regards

Mahesh

No. You just need an

Philip D'Ath — Mon, 29 Feb 2016 00:20:11 GMT

No. You just need an existing route (such as the default route) pointing to the outside interface.

i have that default route.

mahesh18 — Mon, 29 Feb 2016 00:37:53 GMT

i have that default route.

Seems traffic is coming to Palo Alto but not going back to ASA.

Regards

Mahesh

As I mentioned in your other

Marius Gunnerud — Mon, 29 Feb 2016 06:13:32 GMT

As I mentioned in your other question, the issue is on the Palo Alto side as the configuration on the ASA looks fine. Have you checked the routes on the Palo Alto? I think the VPN is terminating on on of the Palo Alto interfaces while traffic to the 10.0.0.0/24 is being sent out a different interface and therefore not being encrypted.

Have a look at the following article and check against your configuration

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/ConfigurationArticles/319/1/IPSec-Interoperability-CiscoASA.pdf

Please remember to select a correct answer and rate helpful posts

Issue was Palo alto Did not

mahesh18 — Wed, 02 Mar 2016 01:55:30 GMT

Issue was Palo alto Did not have rule to allow vpn traffic to the inside zone.

All is good now

Regards

MAhesh