Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1111
Views
5
Helpful
8
Replies

IKE/IPSEC Site to Site VPN can't ping

BButte
Level 1
Level 1

‎11-28-2018 10:58 AM

I've been trying to setup a site to site VPN between two routers and it looks like the tunnel is active but I can't seem to ping from one site to the other. I will admit that I inherited the router configuration at one site (R1) and don't completely understand all of the security settings. I have attached the sanitized configuration from both routers (R1 and R2).

 

I'm trying to ping from a device at 10.129.53.199 connected to R1 to a device at 192.168.42.3 connected to R2 (and visa versa) with not success.

 

Any insight would be appreciated.

Labels:
Preview file
7 KB
Preview file
3 KB
0 Helpful
8 Replies 8

Georg Pauwen
VIP
VIP

‎11-28-2018 11:13 AM

Hello,

 

the first thing I noticed is that you don't have a default route on either router. So, try and configure the below:

 

R1

ip route 0.0.0.0 0.0.0.0 Port-channel1.103

 

R2

ip route 0.0.0.0 0.0.0.0 FastEthernet4

0 Helpful

BButte
Level 1
Level 1
In response to Georg Pauwen

‎11-28-2018 11:48 AM

Georg,

 

Thanks for the suggestion, unfortunately it doesn't seem to have had any effect.

 

Thank you,

Chris

0 Helpful

Georg Pauwen
VIP
VIP
In response to BButte

‎11-28-2018 11:56 AM

Hello,

 

to be honest, the addressing looks odd, as you are NATting to private addresses. Either way, assuming that is ok, I think you are missing access list 102 (the access list matched in the crypto map) on R1. So on R1, configure:

 

access-list 102 permit ip 10.129.53.0 0.0.0.255 192.168.42.0 0.0.0.255

 

That said, you also have 10.129.52.0/24 on R1, does that need to be reachable as well ?

0 Helpful

BButte
Level 1
Level 1
In response to Georg Pauwen

‎11-28-2018 12:06 PM

I swapped our real public external IP addresses with those private IP addresses for anonymity.

I've added the access list an there has been no change.

I'm really only setting up communication with the 1 VLAN on R1.

 

Thanks

0 Helpful

Georg Pauwen
VIP
VIP
In response to BButte

‎11-28-2018 12:23 PM

Hello,

 

if possible, take the 'zone member' command off the interfaces to check if the Zone Based Firewall is causing this...

BButte
Level 1
Level 1
In response to Georg Pauwen

‎11-28-2018 05:08 PM

I had to wait until the end of the day so as not to interrupt users at the R1 site but removing the zone based security from the port channels had no effect on the ability to ping between sites.

 

I really do appreciate your help thus far.

Thank you.

0 Helpful

Alex Pfeil
Level 7
Level 7
In response to BButte

‎11-29-2018 05:55 AM

Can you ping between the public WAN IP addresses?

Do you have a route to 192.168.42.0 0.0.0.255 on R1 and a route to 10.129.53.0 0.0.0.255 on R2.  The routes should be pointed out the WAN interface.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Alex Pfeil

‎11-29-2018 06:59 AM

Chris

 

It is not clear to me whether the problem has to do with getting the vpn tunnel working or has to do with controlling traffic going through the tunnel. Can you post the output of show crypto ipsec sa (preferable from both routers)? This will help point us in the right direction.

 

HTH

 

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card