Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
969
Views
0
Helpful
2
Replies

Not able to ping ASA standby interface over l2l VPN

ppejjorgensen
Level 1
Level 1

‎10-22-2013 07:09 AM - edited ‎03-11-2019 07:54 PM

Hi

I have a pair of ASA's 5525-X in an active/standby setup on a remote office location. I wish to monitor the inside interfaces on this devices. From the head office I have an l2l IPsec tunnel to the remote site from another ASA firewall. From a host on my head office network I'm able to ping the inside ip interface on the active 5525-X, but I'm not able to ping the inside interface on the standby unit. With packet tracer I can see that the ICMP echo request packet is leaving the active unit's inside interface and also see that this packet arriving on the standby unit inside interface. But I never see an echo reply from the standby unit - on any interfaces.

I’m also able to ping other hosts on the remote office lan.

Ping from host PC in head office:

C:\Users\zen>ping 10.0.60.1

Pinging 10.0.60.1 with 32 bytes of data:

Reply from 10.0.60.1: bytes=32 time=24ms TTL=248

Reply from 10.0.60.1: bytes=32 time=23ms TTL=248

Reply from 10.0.60.1: bytes=32 time=28ms TTL=248

Reply from 10.0.60.1: bytes=32 time=28ms TTL=248

Ping statistics for 10.0.60.1:

   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

   Minimum = 23ms, Maximum = 28ms, Average = 25ms

C:\Users\zen>ping 10.0.60.2

Pinging 10.0.60.2 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 10.0.60.2:

   Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

ASA inside interface config:

interface Port-channel20

  nameif inside

  security-level 100

  ip address 10.0.60.1 255.255.255.0 standby 10.0.60.2

No NAT for VPN traffic:

nat (inside,outside) source static obj-10.0.60.0 obj-10.0.60.0 destination static obj-192.168.200.0 obj-192.168.200.0 no-proxy-arp route-lookup

Packet trace on ASA standby unit:

ASA/sec/stby# sh capture

capture egress type raw-data packet-length 1522 [Capturing - 0 bytes]

match icmp host 10.0.60.2 any

capture ingress type raw-data packet-length 1522 interface inside [Capturing - 180 bytes]

match icmp any host 10.0.60.2

ASA/sec/stby# sh capture ingress

5 packets captured

   1: 15:30:05.675090       192.168.200.23 > 10.0.60.2: icmp: echo request

   2: 15:30:10.682703       192.168.200.23 > 10.0.60.2: icmp: echo request

   3: 15:30:15.674922       192.168.200.23 > 10.0.60.2: icmp: echo request

   4: 15:30:20.682398       192.168.200.23 > 10.0.60.2: icmp: echo request

5 packets shown

ASA/sec/stby#

The ASA's is running Cisco Adaptive Security Appliance Software Version 9.1(1)

Thank You

/Peter

Labels:
0 Helpful
2 Replies 2

andduart
Level 1
Level 1

‎10-22-2013 01:37 PM

Hi,

What about translating the traffic on the local ASA (Active unit) for traffic received from the VPN tunnel to the internal interface IP address? You can try something like nat (outside,inside) source dynamic obj-VpnRemoteTraffic interface destination static StandbyIP StandbyIP

Regards,

0 Helpful

Tahir Sultanov
Level 1
Level 1

‎05-03-2016 11:35 AM

Were you able to resolve the issue?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card