Re: Can't ping ASA from end device via IPSEC Tunnel

baroncse · ‎04-18-2022

Hi,

I have 3 sites, A, B, and C.

A - Would be the HUB.

B - Spoke - Working

C - Spoke - Not working.

From site A end device I can ping the ASA from site B, but I can't ping site C even with the same configs and tunnels are up I still can't ping ASA site C. I can confirm that behind the ASA - C end devices is reachable, only the ASA is not.

I already enabled inspect ICMP added ACL for ICMP made sure interesting traffic is passing thru and UN-NAT is in place.

MHM Cisco World · ‎04-18-2022

same IPSec tunnel I mention before that there is issue with it or this new IPSec tunnel ?

baroncse · ‎04-18-2022

different one sir. need some help tshooting this.

Rob Ingram · ‎04-18-2022

@baroncse wrote:

I can confirm that behind the ASA - C end devices is reachable, only the ASA is not.

so are you actually just trying to ping the ASA C's inside interface over the VPN tunnel?

If so use the command "management-access <inside interface>" to permit that traffic.

Make sure you ping from a device behind ASA A not from the ASA itself.

baroncse · ‎04-18-2022

sorry forgot to mention I also have this configured as well "management-access inside"

And yes from site A end device going to site C ASA no pings. but from site A end device going to site B ASA working perfectly.

C and B have the same configs for the tunnel going to site A.

MHM Cisco World · ‎04-18-2022

A - Would be the HUB<- issue here

I think you config ONE Policy ACL with two line for both spoke??
that wrong
config two policy ACL one for each Spoke.

and two tunnel one for each Spoke.

baroncse · ‎04-18-2022

they have separate configs for ACL and Tunnels. Lets just say spoke to spoke (A to C) for the tunnels.

I can confirm tunnel is up because from A end device to C end device they have connectivity I can RDP and ICMP, but the ASA - C is the only issue. I need the ASA - C be pingable from A end device.

MHM Cisco World · ‎04-18-2022

can I see the config for both ACL and tunnel ?

baroncse · ‎04-18-2022

Not sure if this is relevant but as I told you tunnel is up I can reach from A end device going to C end device, it's just the ASA - C is not pingable.

Site A - ASA confg:

access-list int1/1_cryptomap_2 extended permit ip object 10.16.169.0 object 10.16.174.0

crypto map int1/1_map 2 match address int1/1_cryptomap_2
crypto map int1/1_map 2 set peer B.B.B.B
crypto map int1/1_map 2 set ikev1 **********

tunnel-group B.B.B.B type ipsec-l2l
tunnel-group B.B.B.B ipsec-attributes
ikev1 pre-shared-key *********

========================================================

access-list int1/1_cryptomap_3 extended permit ip object 10.16.169.0 object 10.16.174.128

crypto map int1/1_map 3 match address int1/1_cryptomap_3
crypto map int1/1_map 3 set peer C.C.C.C
crypto map int1/1_map 3 set ikev1 *****

tunnel-group C.C.C.C type ipsec-l2l
tunnel-group C.C.C.C ipsec-attributes
ikev1 pre-shared-key *************

MHM Cisco World · ‎04-18-2022

NAT exception must include traffic for both.

do you run packet tracer ?

packet-tracer input Inside icmp ASA 8 0 Site-C detailed

baroncse · ‎04-18-2022

As I said tunnel works fine the problem is Cisco ASA Site C is not replying from my ICMP request from Site A end device. Any other suggestions?

MHM Cisco World · ‎04-18-2022

Do Packet-tracer ASA-A to Site-B
Do Packet-tracer ASA-A to Site C
check if the traffic-ID & SPI is same

check Other Site "Site-C" have route back to tunnel