cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
919
Views
0
Helpful
5
Replies

No Traceroutes over Concentrator<->PIX VPN...???

davidbornack
Level 1
Level 1

I can't perform traceroutes over the VPN tunnel I have established.. everything is working otherwise..

I hit up TAC with this question, and they tell me that because the packets are encrypted, that the tunnel isn't aware that they are traceroute packets. Is this true? When I Trace from a host on the inside fo the PIX, to a host on the inside of the Concentrator, I get timeouts on every hop except the first and last.

Any ideas?

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

It might help us if we knew more about your particular situation and how you have things configured.

But in general I think that you got a correct answer, that if the traceroute packet matches the access list for IPSec and the traceroute packet is encrypted, then the devices along the path till the point that it is decrypted will only see the encrypted data and will not recognize that it is a traceroute and therefore can not respond to you. (A technical note: the devices along the path see the TTL expire, drop the packet, and generate an ICMP error, but the ICMP TTL exceeded is not addresses to you but is addressed to the tunnel endpoint since that was the source address of the packet that they discarded.)

If you really want traceroute to work you might look at the possibility of changing the access list that identifies traffic for IPSec such that it does not permit the traceroute packets. This will result in traceroute being sent in the clear. Note that there may be some complexity in differentiating traceroute from other kinds of traffic in the access list.

HTH

Rick

HTH

Rick

dvarana
Level 1
Level 1

Hello, Not sure what version this came out, but try on both PIX sides:

management-access inside.

I can telnet, ping, etc... to the insides of both tunnels points with this.

Hi,

Take this case for an example.

The traceroute you are expecting is

HostA--> VPN.Concentrator Inside IP --> PIX Inside IP ---> HostB

Now check your network lists on the VPN Concentrator for the specific tunnel. You would have allowed traffic from HostA to HostB only. In this case, the trace output u gets will look something like this

HostA--> VPN.Concentrator Inside IP --> * ---> HostB

This is because the PIX Inside IP is not allowed to send packets through the tunnel where as HostB is...

Try adding PIX Internal IP address also to the encryption domain, then you will get this hop also.

HTH

Regards,

Shijo George.

ciscoakula
Level 1
Level 1

You got a reasonable answer in first place. VPN tunnel incapsulates original packet then ecrypts it so there is no way for routers in between VPN tunnel endpoints to see the original packet.

You should be getting normal replies to your traceroute requests from all routers before and after tunnel including VPN tunnel endpoint routers. In simpliest case one from your gateway and another from traceroute destination host's gateway.

d-mark
Level 1
Level 1

Hi,

the setting of the local and remote network in vpn config can affect this, because only traffic from ip addresses inside these networks goes through the vpn tunnel. So answers to the traceroute from hosts with ip addresses outside these networks won't go through the vpn-tunnel.

hth

Mark

Review Cisco Networking for a $25 gift card