Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1577
Views
0
Helpful
3
Replies

Unable to ping internal subnet ip addresses from spoke. Crypto ISAKMP & EIGRP tunnel formed

Faisal syed
Level 1
Level 1

‎01-17-2013 07:37 PM - edited ‎03-04-2019 06:44 PM

We are in the process of implementing DMVPN hub and spoke solution. 

We have configured a hub and are now trying to connect a remote spoke between client’s remote locations.  The client has a Verizon router in front of the spoke.  Somehow I am not able to ping the hub's internal network.  I am able to ping hub's internal interface.  EIGRP neighbor adjacency between hub and spoke is there.  I checked Crypto ISAKMP is there.  I can see all the internal routes of the hub on the spoke.  On the other hand, when I connected the spoke from my home network to the hub, just for testing purposes, everything is working fine.  When I took the spoke to the remote location and plugged it in front of the Verison DSL modem and router,   I don't know why I am not able to ping internal network.  I suspect that Verison has blocked VPN ports.  Any ideas?

Thanks,

Fsl

Labels:
0 Helpful
3 Replies 3

shamax_1983
Level 3
Level 3

‎01-17-2013 08:21 PM

Hi Faizal,

Are you NAT'ing on the ADSL routers for VPN ports for the DMVPN Spokes? Or do you have a routed public IP configured on the DMVPN spoke?

Shamal

Sent from Cisco Technical Support iPhone App

0 Helpful

Faisal syed
Level 1
Level 1
In response to shamax_1983

‎01-18-2013 08:30 AM

No I am getting spoke external interface ip from verison modem+router . Which is 192.168.1.X. I put this ip address to the DMZ zone that won't fix the problem either.

0 Helpful

paul driver
VIP
VIP
In response to Faisal syed

‎01-18-2013 09:15 AM

Hello Fasal,

can you post your config - especially your crypto stuff.

Are you using crypto maps or VTI ( tunnel protection)
Can you test if you  have connection when you take off the ipsec config so basically then your not encrypting the traffic

( require both sides )

if crypto maps is the network to be encrypted specified?

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card