Mariusz,

Thanks for the response.

I am trying to ping them directly from the ASA. None of my internal traffic is routed to this firewall. This firewall is only for external connections to one of our internal networks. I'll directly connect my laptop to one of my unused interfaces and test it that way.

I have route outside 0.0.0.0 0.0.0.0 e.f.g.h 1 in place. Isn't that a default route and would include the traffic for 172.16.16.0/24?

-Dave

Are these windows machines you are trying to ping?  Before going to deep into troubleshooting the config I would disable the windows firewall on the PC and then try pinging.

Marius,

These are Avaya VPN desktop phones.

Thanks!

Dave

Amitashwa,

I am not trying to ping from one VPN user to another. I just want to be able to ping them from the firewall, entirely for troubleshooting purposes.

No, we don't have split tunneling enabled. The units I am trying to ping are Avaya VPN desktop phones and do not need this feature. I apologize for for not having the tunnel group config. All of our users are local to the firewall and I was trying to protect their usernames and missed that config when I copied and pasted. If you are still interested:

tunnel-group avaya type remote-access

tunnel-group avaya general-attributes

address-pool AvayaPool

default-group-policy avaya

tunnel-group avaya ipsec-attributes

pre-shared-key *****

Attached is the output you requested for two connected VPN users.

Thanks!

Dave

Hi David,

Please follow these steps:

1. Ensure the vpn users are connected successfully. Try and PING ASA inside IP address from remote user machine over vpn tunnel. Are these PING successful? If yes then proceed with below.

2. While you generate traffic destined to active remote vpn users ensure you source it from inside intrface like "ping inside "

If you  have issues with just accessing ASA inside IP addess, then  please paste "sh run nat" output here for further review and if ASA is running post 8.3  append "no-proxy-arp route-lookup" to the corresponding NAT-EXEMPT(no nat ) rule.

Are vpn users able to PING ASA inside resource including INSIDE IP address?

Thanks,

Santhosh Shetty

Santhosha,

Thanks for the reply and help. I am unable to ping from the remote user machine. It is an Avaya VPN phone and doesn't offer an option to ping unfortunately. I do know that they respond to pings, however.

Thanks,

Dave

Hi David,

It need not be just ICMP, from avaya phone are you able to reach inside server over the tunnel(any traffic)?

Whats code is ASA running?

could you attach "sh run nat" and "sh nat details" output here along with ASA inside IP and pool ip.

Thanks,

Santhosh

Have you examined the ASA logs while pinging the AVAYA phones? Do you see any deny packets, or something that could be preventing the flow of traffic?

For the sake of testing could you issue the command management-access inside and then test to see if you get a response.

If that doesn't work could you add the command sysopt connection permit-vpn and then test.

From the ASA CLI I pinged 172.16.16.129. While pinging that the ASDM logs (in debugging) didn't show any denied packets. It just shows the ICMP session being built then torn down. Are there better logs to look at?

I tried the other two commands without any luck.

Hi,

I would probably try to capture the ICMP traffic on your VPN ASA local interface and see if any ICMP return messages are coming from the VPN connection

For example

access-list PHONE-ICMP-CAP permit icmp any 172.16.16.0 255.255.255.0

access-list PHONE-ICMP-CAP permit icmp 172.16.16.0 255.255.255.0 any

capture PHONE-ICMP-CAP type raw-data access-list PHONE-ICMP-CAP interface inside buffer 1000000 circular-buffer

Then try to ping some of them phones

Then check

show capture PHONE-ICMP-CAP

and see if any replys are showing past the ASA

To remove the capture use

no capture PHONE-ICMP-CAP

no access-list PHONE-ICMP-CAP permit icmp any 172.16.16.0 255.255.255.0

no access-list PHONE-ICMP-CAP permit icmp 172.16.16.0 255.255.255.0 any

- Jouni

JouniForss,

Thanks for the detailed instructions. Here is what I got when I tried to ping two different IPs.

ciscoasa(config)# show capture PHONE-ICMP-CAP

9 packets captured

   1: 11:42:50.462225 10.128.0.2 > 172.16.16.118: icmp: echo request

   2: 11:42:50.521945 172.16.16.118 > 10.128.0.2: icmp: echo reply

   3: 11:43:03.820422 10.128.0.2 > 172.16.16.118: icmp: echo request

   4: 11:43:03.878967 172.16.16.118 > 10.128.0.2: icmp: echo reply

   5: 11:43:08.261628 10.128.0.2 > 172.16.16.118: icmp: echo request

   6: 11:43:08.322905 172.16.16.118 > 10.128.0.2: icmp: echo reply

   7: 11:43:18.773565 10.128.0.2 > 172.16.16.246: icmp: echo request

   8: 11:44:13.093012 10.128.0.2 > 172.16.16.246: icmp: echo request

   9: 11:44:45.288833 10.128.0.2 > 172.16.16.246: icmp: echo request

9 packets shown

Mariusz Bochen suggested pinging from inside the network but the network wasn't setup to allow that. I added routes internally to allow traffic to this firewall from my workstation, so I can ping from there instead of the firewall. From the above output pings 1 and 3 came from the firewall directly. But the firewall shows they timeout. Ping 5 is from my machine and it showed a reply. 7, 8, and 9 are from my machine as well but they timeout. Something must be wrong with that phone (.246). So that raises two questions. Why does the ASA show a timeout when in fact there is a response? And why is one phone confirmed connected to the VPN but not passing traffic? (I've actually confirmed a couple of phones are like this.)

Hi,

I would suggest trying to connect using a PC with the client installed, we can take captures, also, please make sure to enable Nat-t as per a previous post and verify the

show crypto ipsec sa output to check encrypted and decrypted traffic

Regards,