Showing results for 
Search instead for 
Did you mean: 

Problem with ping to router LAN interface

Hi everybody,

I have one problem doing a ping to a router lan interface,

I have 3 routers (2801) connected between each other (separated 1 mile each), the link is established trough microwave signals (connected to the 2801 fast ethernet interfaces), every router has a connection to a LAN. One of them is located at headquarters.

Last thursday I replace one of the router with a cisco 2901, i configure the router with the same configuration that was on the 2801, i power up the router and the 2 link were up without problems.

One day after the noc called me to tell me that after i replace the router they can't ping the router IP lan interface on the new 2901 (before the replacement the ping was sucessful). I called one user the lan connected to that 2901, and they can do a ping to the router's LAN IP address.

I can ping the 2901 IP wan interfaces, I can ping the LAN users ip address, but i cannot ping the router LAN IP address, from my desktop, and neither the 2 routers 2801 connected to the 2901.

I show the configuration on the 2901, I couldn't change it because i didn't have time to do that, but i'll change the configuration to use ipsec tunnels.

The configuration as you can see, has a crypto map, but the acl used by the crypto map, only permits the interfaces ip address, so i think that doesn't work, so the traffic doesn't get encrypted, but i don't know if that is the problem why i can't do a ping to the lan interface.

incrypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 FgOYfLODWITGef`XfRghYLQaFgXShOEMf``SAAB address
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel to10.10.10.2
set peer
set transform-set ESP-3DES-SHA1
match address 101
interface Tunnel1
ip address
ip mtu 1420
tunnel source GigabitEthernet0/1
tunnel destination
tunnel path-mtu-discovery
crypto map SDM_CMAP_2

interface GigabitEthernet0/0

ip address

description "Lan interface"

interface GigabitEthernet0/1
ip address
duplex auto
speed auto
crypto map SDM_CMAP_2

access-list 101 remark SDM_ACL Category=4

access-list 101 permit gre host host

router eigrp 100






The router has the same configuration.

any ideas?.. I know this configuration has some errors, but i didn't configure it, and for now i could not change it.


Juan Pablo

5 Replies 5

Dejan Puhar
Cisco Employee
Cisco Employee

Hi Juan,

did you try to ping from this router to any of the 2801 but specifying the local LAN interface as s source?

What about when you do a tracerout from 2801 to this LAN?

Maybe you have some ARP entry stuck on one of the devices with a wrong entry. I am not sure what you have in between



Level 2
Level 2

Reboot the switch connecting to router LAN interface, clear arp-cache of system from which you are trying to Ping LAN interface, looks like ping on Layer 2 is still searching for MAC address of previous router LAN interface.

Level 4
Level 4

What about network traffic between sites? Is going thru, or failing same as the pings?


Thanks for your replies,

About your questions and suggestions,

i can't do ping from lan/wan interface on the other router.

The sites are forwarding traffice between them, I can do a ping to a desktop on the lan interface (example:

The deskptops connected to the router lan interface ( are able to do ping to that IP address, so rebooting the switch is not going to solve the problem, the problem is from the wan side.

Let's say that the router with the problem is R3, so R1 and R2 are the other routers, if i do the traceroute from one desktop connected on the R1 lan, its stays on R1, (display his IP address) but that's it. The routes on the routing table are correct.

Inclusive i debug icmp on R3, but i got nothing, so i think maybe the problem it is an arp entry or acl in the microwave equipment, that are bridges/routers.

if you have another advice, i'll be apreciated.


Maybe configure an acl to replay to pings on R3, R1, and R2 just for testing puposes.

Example for R3:

access-list 101 permit icmp any echo replay

and apply it to WAN interface out

Hope this helps


Review Cisco Networking for a $25 gift card