Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
366
Views
0
Helpful
1
Comments

Pass ICMP across L2L VPN

Christine_Lane
Level 1
Level 1
‎05-09-2016 05:37 PM

Hi All.

I am attempting to set up a L2L IPsec tunnel in a lab environment to isolate some problems that a client is having with his production network.

I want to be able to ping back and forth between the two sites so that I can determine when the link fails.  I am able to successfully ping from host A (behind ASA #1) to host B (behind ASA #2) but cannot successfully ping in the other direction (from host B to host A).

I ran debug ICMP and I can see ping requests coming in to ASA 1 but there is no return traffic.

I then ran packet-tracer and it shows a drop on phase 7 (Type VPN).  It says that it was dropped by a configured rule but gives no indication what ACE, let alone what ACL is blocking.

How can I determine how to fix the issue so that I can ping back and forth and conduct my tests?

I've attached a copy of the configs, along with the output of packet-tracer, and the one marked 'Hub' is the one having the issue.

Thanks.

vpn.zip
Labels:
Preview file
3 KB
vpn.zip
0 Helpful
1 Comment
Aditya Ganjoo
Cisco Employee
Cisco Employee
‎05-09-2016 05:46 PM
‎05-09-2016 05:46 PM

Hi Christine,

Can you check if the traffic reaches the host A from host B ?

Just use Wireshark on the adapter and you would be able to find it ?

Regards,

Aditya

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents