Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1064
Views
0
Helpful
9
Replies

VPN -- Point to Point Connection Routing.

Pratik Prajapati
Level 1
Level 1

‎11-22-2011 06:22 AM - edited ‎03-11-2019 02:54 PM

The VPN is up and running between Site C and Site A. No problem there.

I can ping 10.2.24.1 from Site A P2P Router.

But I cannot ping from Site B P2P Router. The ping times out.

I have the following routes on 3 routers,

Site A P2P Router: ip route 10.2.24.0 255.255.255.0 172.16.5.3

Site B P2P Router:  ip route 10.2.24.0 255.255.255.0 172.16.5.3

Site B Router Gateway:  ip route 10.2.24.0 255.255.255.0 172.16.5.3

When i start a ping from 172.20.3.0/24 network, Site C see the ping coming from 172.20.3.0 network and sends out a reply. But I never get a reply and i get a request timed out.

My task is that i should be able to ping Site C from any machine at Site B

Labels:
Preview file
26 KB
0 Helpful
9 Replies 9

andrew.prince
Level 10
Level 10

‎11-22-2011 06:50 AM

Your next hops should be 1 away unless you are running a dynamic routing protocol.

Change:-

Site B P2P Router:  ip route 10.2.24.0 255.255.255.0 172.16.5.3 change to

ip route 10.2.24.0 255.255.255.0 172.16.1.5

Site B Router Gateway:  ip route 10.2.24.0 255.255.255.0 172.16.5.3 change to

ip route 10.2.24.0 255.255.255.0 172.20.3.2

And ensure the correct IP subnets are part of the interesting traffic acl and the no-nat acl.

HTH>

0 Helpful

Pratik Prajapati
Level 1
Level 1
In response to andrew.prince

‎11-22-2011 07:44 AM

I changed the routes to what you suggested. but still its the same. The ping to Site C network times out if i do from a Site B machine.

Any other suggestion?

0 Helpful

andrew.prince
Level 10
Level 10
In response to Pratik Prajapati

‎11-22-2011 07:48 AM

Post the output from a traceroute from the Site B Machine.  And check to make sure the site B IP subnet is on the list of interesting traffic for the VPN, and it is not be double natted.

0 Helpful

Pratik Prajapati
Level 1
Level 1
In response to andrew.prince

‎11-22-2011 08:15 AM

I cannot do a traceroute becuase the guy who manages Site C has disabled tracerouting. When I ping Site C from Site B, Site C does see that the packet is coming from Site B and sends out a reply. But I receive a 'request timed out' on Site B. So it seems like the packet gets dropped between Site A P2P router and Site B P2P router.

0 Helpful

andrew.prince
Level 10
Level 10
In response to Pratik Prajapati

‎11-22-2011 08:37 AM

How is that possible - if someone else manages site C, how can you see site C respond?  What firewalls terminate the VPN?

0 Helpful

Pratik Prajapati
Level 1
Level 1
In response to andrew.prince

‎11-22-2011 08:41 AM

He said to me that he can see traffic coming from Site B. Both firewalls at Site A and Site C are Cisco ASAs

0 Helpful

andrew.prince
Level 10
Level 10
In response to Pratik Prajapati

‎11-22-2011 08:44 AM

Something does not sounds right.

Post the output from the command "show crypto ipsec sa" from both devices, and "show access-list" from both devcies

0 Helpful

Pratik Prajapati
Level 1
Level 1
In response to andrew.prince

‎11-22-2011 01:30 PM

Andrew,

Found the issue. I was missing a route on Firewall Site A to send Site B traffic via the Core Switch at Site A. Core Switch does the routing. Adding that everything started working.

Thanks for your help!!!

Pratik

0 Helpful

andrew.prince
Level 10
Level 10
In response to Pratik Prajapati

‎11-22-2011 01:36 PM

good news

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card