Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
730
Views
8
Helpful
8
Replies

ISP - Migrated But I cannot get Ping

vipinrajrc
Level 3
Level 3

‎04-11-2011 12:29 AM - edited ‎03-04-2019 12:02 PM

Hi Experts,

Recently I migrated our client's ISP. We have a site to site VPN between client's office and our office. We are monitoring client's network using solarwinds NPM. The client's connection starts from an ASA  --> Internet --> Our ASA. The IP which was provided by the ISP was blacklisted. After assigning IP address the tunnel is established. But we were not able to ping to the internal LAN IP address of the ASA. So the ASA seems to be down in the monitoring tool. But we can access the servers behind this ASA using remote desktop.

Is this problem due to blacklisted IP address???? Could anyone give me an answer????

Regards,

Vipin

Thanks and Regards, Vipin
Labels:
0 Helpful
8 Replies 8

andrew.prince
Level 10
Level 10

‎04-12-2011 01:20 AM

You should not be able to ping any interface on the ASA over the VPN - this is correct.

HTH>

0 Helpful

mvsheik123
Level 7
Level 7
In response to andrew.prince

‎04-13-2011 06:51 AM

Hi,

Orion NPM should be able to ping/pull the information from remote ASA. I guess Orion NPM uses both ICMP & SNMP for management.

Do you have the command 'management-access ' (INSIDE: Name of the ASA inside interface) configured on remote end ASA?

hth

MS

vipinrajrc
Level 3
Level 3
In response to mvsheik123

‎04-13-2011 06:09 PM 

mvsheik123 wrote:
Hi,
Orion NPM should be able to ping/pull the information from remote ASA. I guess Orion NPM uses both ICMP & SNMP for management.
Do you have the command 'management-access ' (INSIDE: Name of the ASA inside interface) configured on remote end ASA?
hth
MS

Hi,

I already configured "management-access" with one of the inside interfaces.

I have one doubt... The IP we configured on outside interface is blacklisted. is this can be the issue???

Regrads,

Vipin

Thanks and Regards, Vipin
0 Helpful

mvsheik123
Level 7
Level 7
In response to vipinrajrc

‎04-14-2011 08:02 AM

Hello,

You are trying to reach the LAN interface for ASA, which I guess is Pvt ip address. Can you 'ping' client ip behind the ASA from NPM server?  Also, make sure you ACLs are correct on both ASAs. For Orion NPM to commnicate (green in NPM;-)) ...

NPM--> remote end ASA : icmp echo & UDP 161

ASA --> NPM : icmp echo-reply & UDP 162.

one way you can t-shoot this issue, enable 'debug icmp trace' while ping the ASA and check where the pkts being dropped.

hth

MS

edit: In addition to the above, if the ASA IOS Version is 7.1.x (hard to see ASAs ship with that now), it may be a bug. I had similar issue couple of years back and TAC confirmed its a bug in IOS with older verrsion.

vipinrajrc
Level 3
Level 3
In response to mvsheik123

‎04-22-2011 12:22 AM 

mvsheik123 wrote:
Hello,
You are trying to reach the LAN interface for ASA, which I guess is Pvt ip address. Can you 'ping' client ip behind the ASA from NPM server?  Also, make sure you ACLs are correct on both ASAs. For Orion NPM to commnicate (green in NPM;-)) ...
NPM--> remote end ASA : icmp echo & UDP 161
ASA --> NPM : icmp echo-reply & UDP 162.
one way you can t-shoot this issue, enable 'debug icmp trace' while ping the ASA and check where the pkts being dropped.
hth
MS
edit: In addition to the above, if the ASA IOS Version is 7.1.x (hard to see ASAs ship with that now), it may be a bug. I had similar issue couple of years back and TAC confirmed its a bug in IOS with older verrsion.

Hi,

I was able to ping to the priv.add of this ASA before Migration. After the migration even the VPn tunnel is UP, But still this issue is there.

We are managing those server behind this ASA. we are able to ping and take RDp to those servers successfully... But still we cant ping to the interface of that ASA. we enabled echo,echo-reply to these interface, still no luck.... we tried "debug icmp trace" It is showing buil-in ICMP connection........

After that tear-down ICMP connection..

No idea what is the isuue

ASA software version is 7.0.8

anyone please suggest your ideas about this issue.............

Thanks&Regards

Vipin

Thanks and Regards, Vipin
0 Helpful

esomarriba
Level 5
Level 5

‎04-22-2011 07:51 AM

Hi vipin,

The blacklisted IP address has nothing to do with your current issue. SolarWinds will try to use ICMP / SNMP, make sure you have the correct IP address facing the NCM.

Remember to include the SolarWinds server IP address to any access-list that you have on the way. Source using the tunnel interface that you have and check.

HTH,

Elyinn.-

mvsheik123
Level 7
Level 7
In response to esomarriba

‎04-22-2011 08:10 AM

Hi,

If possible, post the related config from ASA and other end node(vpn peer). Also, look for any bugs in 7.0. Its pretty old. I would upgrade it to Min 7.2(4).

(thats the code I upgraded from 7.1.x  on one of our ASAs and NPM successfully monitoring the node via L2L tunnel).

I now monitoring was working finr before migration, but you never know ;-).

hth

MS

0 Helpful

manish arora
Level 6
Level 6
In response to mvsheik123

‎04-22-2011 09:59 AM

Since the monitoring was working before the VPN End point IP address was changed , and there isn't any configuration changes other than the IP address , I would either :-

1> Issue clear local-host

2> Reboot the asa.

both will drops/clear  existing old Flows that are build in the asa with the old end point ip's.

Please make sure that you have downtime available for even issuing "clear local" command as this will clear all entires on the asa.

Manish

0 Helpful
Customers Also Viewed These Support Documents