Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1551
Views
0
Helpful
9
Replies

Unable to ping the Remote IP across IPSEC

Go to solution
mahesh18
Level 6
Level 6

‎02-28-2016 12:44 PM - edited ‎03-12-2019 12:24 AM

Hi Everyone,

IPSEC tunnel is established between Cisco and Palo Alto.

From Palo Alto i can ping the Remote IP of the Cisco ASA but from Cisco ASA i can not ping Remote IP of Palo Alto

Logs from ASA

Feb 28 2016 13:40:22: %ASA-6-302020: Built outbound ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:24: %ASA-6-302021: Teardown ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:27: %ASA-6-302020: Built outbound ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:29: %ASA-6-302021: Teardown ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:32: %ASA-6-302020: Built outbound ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1
Feb 28 2016 13:40:34: %ASA-6-302021: Teardown ICMP connection for faddr 172.16.0.2/0 gaddr 10.0.0.11/1 laddr 10.0.0.11/1


pri/act/ASA1# show crypto ipsec sa
interface: outside
Crypto map tag: CRYPTO-MAP, seq num: 1, local addr: 68.145.154.173

access-list VPN-INTERESTING-TRAFFIC extended permit ip 10.0.0.0 255.255.255.0 172.16.0.0 255.255.255.0 log
local ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 184.71.241.62

#pkts encaps: 144, #pkts encrypt: 144, #pkts digest: 144
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 144, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 68.145.154.173/0, remote crypto endpt.: 184.71.241.62/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: A92FD619
current inbound spi : F5573103

inbound esp sas:
spi: 0xF5573103 (4116132099)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 1323008, crypto-map: CRYPTO-MAP
sa timing: remaining key lifetime (kB/sec): (3915000/85660)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xA92FD619 (2838484505)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
slot: 0, conn_id: 1323008, crypto-map: CRYPTO-MAP
sa timing: remaining key lifetime (kB/sec): (3914991/85660)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Logs From Palo Alto where ping is working to the Remote Cisco IP

64 bytes from 10.0.0.4: icmp_seq=131 ttl=255 time=21.7 ms
64 bytes from 10.0.0.4: icmp_seq=132 ttl=255 time=18.7 ms
64 bytes from 10.0.0.4: icmp_seq=133 ttl=255 time=17.9 ms
64 bytes from 10.0.0.4: icmp_seq=134 ttl=255 time=21.0 ms
^C
--- 10.0.0.4 ping statistics ---
134 packets transmitted, 134 received, 0% packet loss, time 134401ms
rtt min/avg/max/mdev = 17.354/20.349/33.935/2.623 ms
admin@Palo_alto_test

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-28-2016 01:19 PM

These are your stats:

#pkts encaps: 144, #pkts encrypt: 144, #pkts digest: 144
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

It says you are sending and encrypting packets, but not receiving anything back.

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

‎02-28-2016 10:13 PM

As I mentioned in your other question, the issue is on the Palo Alto side as the configuration on the ASA looks fine.  Have you checked the routes on the Palo Alto?  I think the VPN is terminating on on of the Palo Alto interfaces while traffic to the 10.0.0.0/24 is being sent out a different interface and therefore not being encrypted.

Have a look at the following article and check against your configuration

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/ConfigurationArticles/319/1/IPSec-Interoperability-CiscoASA.pdf

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎02-28-2016 01:10 PM

As the outside IP address of the ASA is not in the encryption domain you wont be able to do this.  You'll need to test this with a machine behind the ASA.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Philip D'Ath

‎02-28-2016 01:13 PM

 i am testing on machine behind the ASA.

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-28-2016 01:19 PM

These are your stats:

#pkts encaps: 144, #pkts encrypt: 144, #pkts digest: 144
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

It says you are sending and encrypting packets, but not receiving anything back.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Philip D'Ath

‎02-28-2016 01:31 PM

I am checking the other side now.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Philip D'Ath

‎02-28-2016 04:17 PM

Hi Phil,

Do i need to specfic on ASA the static route for remote subnet across the tunnel?

Regards

Mahesh

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to mahesh18

‎02-28-2016 04:20 PM

No.  You just need an existing route (such as the default route) pointing to the outside interface.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Philip D'Ath

‎02-28-2016 04:37 PM

i have that default route.

Seems traffic is coming to Palo Alto but not going back to ASA.

Regards

Mahesh

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

‎02-28-2016 10:13 PM

As I mentioned in your other question, the issue is on the Palo Alto side as the configuration on the ASA looks fine.  Have you checked the routes on the Palo Alto?  I think the VPN is terminating on on of the Palo Alto interfaces while traffic to the 10.0.0.0/24 is being sent out a different interface and therefore not being encrypted.

Have a look at the following article and check against your configuration

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/ConfigurationArticles/319/1/IPSec-Interoperability-CiscoASA.pdf

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎03-01-2016 05:55 PM

Issue was Palo alto Did not have rule to allow vpn traffic to the inside zone.

All is good now

Regards

MAhesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card