Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
38091
Views
0
Helpful
11
Replies

Error 713201: Duplicate Phase packet detected

Go to solution
kathy-kat
Level 1
Level 1

‎02-28-2011 02:02 PM

Hello Everyone!!!

I have a little problem with a Easy VPN, this is the topology:

One router 2811: This is the Easy-client (Who has a ip address by dhcp)

One ASA 5540: This is the Easy-server

The configuration on router is like this:

crypto ipsec client ezvpn Router-Miranda-VPN
connect auto
group VPN-MIRANDA key cisco123
mode network-extension
peer 192.168.1.0
username Router-Miranda password Router123

  xauth userid mode local

interface FastEthernet0/0
description Conexion WAN
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn Router-Miranda-VPN

interface FastEthernet0/1
description LAN-Miranda
ip address 10.50.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn Router-Miranda-VPN inside

And this is the config on ASA:

crypto isakmp enable Outside
name 10.50.15.0 VPN-MIRANDA description SEGMENTO MIRANDA
asdm location 10.50.15.0 255.255.255.0 Inside
access-list nonat line 2 extended permit ip 10.50.15.0 255.255.255.0 10.50.15.0 255.255.255.0
username Router-Miranda password Router123 encrypted privilege 0
username Router-Miranda attributes
  vpn-group-policy VPN-MIRANDA
ip local pool POOL-MIRANDA 10.50.15.10-10.50.15.254 mask 255.255.255.0
group-policy VPN-MIRANDA internal
group-policy VPN-MIRANDA attributes
  vpn-tunnel-protocol IPSec
tunnel-group VPN-MIRANDA type remote-access
tunnel-group VPN-MIRANDA general-attributes
  default-group-policy VPN-MIRANDA
  address-pool  POOL-MIRANDA
tunnel-group VPN-MIRANDA ipsec-attributes
  pre-shared-key **********
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface  Outside

The router is trying to establish the connection, this messages appears:

Feb 28 22:05:49.282: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=VPN-MIRANDA  Client_public_addr=190.36.240.57  Server_public_addr=192.168.1.0

Seems that the router attempts to establish the connection, but for some reason it falls, this is the answer for this commands:

Router-Miranda#sh crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.
68    190.36.240.57   192.168.1.0            ACTIVE                2  0           
       Connection-id:Engine-id =  68:1(software)
67    190.36.240.57   192.168.1.0            ACTIVE                2  0           
       Connection-id:Engine-id =  67:1(software) (deleted)

And in the ASA appears the next message:

713201

Error Message    %ASA-5-713201: Duplicate Phase Phase packet detected. Action

Explanation   The security appliance has received a duplicate of a previous Phase 1 or Phase 2 packet, and will transmit the last message. This message could indicate a network performance or connectivity issue where the peer is not receving sent packets in a timely manner.

Phase—Phase 1 or 2

Action—Retransmitting last packet, or No last packet to transmit.

Recommended Action   Verify network performance or connectivity.

Any idea that could be happen on this devices??

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kathy-kat

‎03-02-2011 02:47 PM

Very good, we are moving a step closer.

On the ASA, your split tunnel access-list is extended ACL, please change it to standard ACL as follows:

no access-list Tunnel_Miranda permit ip 192.168.0.0 255.255.0.0 10.50.15.0 255.255.255.0
access-list Tunnel_Miranda standard permit 192.168.0.0 255.255.0.0

You mention that you can't access the server. Can you enable the following:

management-access Inside

and check if you can ping the ASA Inside interface ip address after the above command is added.

If you can, then it doesn't seem to be a configuration issue. You might want to check if the server has any firewall enabled that might be blocking inbound connection from  different subnets. See if you can access anything else within the same subnet.

Lastly, please share the output of:

show cry ipsec sa

View solution in original post

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kathy-kat

‎03-09-2011 04:40 PM

Yes, you can only ping by sourcing the ping from the LAN interface because that is what is supposed to be encrypted through the tunnel, ie: between LAN subnet to LAN subnet. If you just ping straight out from the router, the ping will be sourced from the router external interface, hence ping will fail which is correct behaviour.

Base on your explaination, you can access some hosts but not some others that are in the same LAN. This straight away point me to believe that it has nothing to do with configuration nor VPN on both the ASA and router. Because everything is setup between LAN to LAN subnets, so if you can access just 1 ip address within that subnet, you should be able to access everything else on that subnet.

I would actually check the server itself and see if there is anything that might prevent the access. A few things to check on the server:

- correct default gateway (ie: the same default gateway as other host that works)

- firewall that is not blocking inbound connection from different subnet

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎03-01-2011 03:34 AM

Firstly, you can't have the same subnet behind the ASA as well as  behind the Easy VPN Client, plus having the IP Pool also in the same  subnet. This is totally incorrect.

ASA LAN needs to be  in a different subnet than the Easy VPN Client LAN, plus separate subnet  for the IP Pool. However, since you are configuring NEM mode, then IP  Pool is not used.

Then you would need to modify your NAT exemption to say:

access-list nonat extended permit ip

Then the peer ip address under the router configuration should be the ASA outside ip address:

crypto ipsec client ezvpn Router-Miranda-VPN
     peer 192.168.1.0

If it's still not working, please kindly share the output of the following debugs:

debug cry isa

debug cry ipsec

0 Helpful

Go to solution
kathy-kat
Level 1
Level 1
In response to Jennifer Halim

‎03-01-2011 08:38 AM

Thanks Jennifer for your answer!!

That´s correct I had to edit the access-list nonat extended permit ip 192.168.1.0 255.255.0.0 10.50.15.0 255.255.255.0 and I deleted the ip addrees´s pool VPN.

The configuration on ASA is this:

crypto isakmp enable Outside
name 10.50.15.0 VPN-MIRANDA description SEGMENTO MIRANDA
access-list nonat line 2 extended permit ip 192.168.0.0 255.255.0.0.0 10.50.15.0 255.255.255.0
username Router-Miranda password PbIWLu/jIlsM4bD3 encrypted privilege 0
username Router-Miranda attributes
  vpn-group-policy VPN-MIRANDA

group-policy VPN-MIRANDA internal
group-policy VPN-MIRANDA attributes
  vpn-tunnel-protocol IPSec
tunnel-group VPN-MIRANDA type remote-access
tunnel-group VPN-MIRANDA general-attributes
  default-group-policy VPN-MIRANDA
tunnel-group VPN-MIRANDA ipsec-attributes
  pre-shared-key **********
crypto isakmp policy 10 authen pre-share
crypto isakmp policy 10 encrypt 3des
crypto isakmp policy 10 hash sha
crypto isakmp policy 10 group 2
crypto isakmp policy 10 lifetime 86400
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  pfs group2
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface  Outside

Referent to the ip address for the peer is an outside´s ip address, but I do not want put the right address for security. I captured the output from debug:

There is debug from crypto ipsec

Mar  1 16:19:35.678: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar  1 16:19:35.678: IPSEC(key_engine): got a queue event with 1 kei messages

There is debug from crypto isakmp

Mar  1 16:15:35.470: ISAKMP:(0:33:SW:1):purging SA., sa=4694BE00, delme=4694BE00
*Mar  1 16:15:35.510: ISAKMP:(0:34:SW:1): retransmitting phase 1 AG_INIT_EXCH...
*Mar  1 16:15:35.510: ISAKMP:(0:34:SW:1):peer does not do paranoid keepalives.

*Mar  1 16:15:35.510: ISAKMP:(0:34:SW:1):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 190.119.128.103)
*Mar  1 16:15:35.510: %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Client)  User=  Group=VPN-MIRANDA  Client_public_addr=190.78.245.19  Server_public_addr=190.119.128.103

*Mar  1 16:15:35.510: ISAKMP:isadb_key_addr_delete: no key for address 190.119.128.103  (NULL root)
*Mar  1 16:15:35.510: ISAKMP:(0:34:SW:1):deleting SA reason "Death by retransmission P1" state (I) AG_INIT_EXCH (peer 190.119.128.103)
*Mar  1 16:15:35.510: ISAKMP: Unlocking IKE struct 0x4682E100 for isadb_mark_sa_deleted(), count 0
*Mar  1 16:15:35.510: ISAKMP: Deleting peer node by peer_reap for 190.119.128.103: 4682E100
*Mar  1 16:15:35.510: ISAKMP:(0:34:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar  1 16:15:35.510: ISAKMP:(0:34:SW:1):Old State = IKE_I_AM1  New State = IKE_DEST_SA

*Mar  1 16:15:35.510: ISAKMP: Created a peer struct for 190.119.128.103, peer port 500
*Mar  1 16:15:35.510: del_node src 190.78.245.19:500 dst 190.119.128.103:500 fvrf 0x0, ivrf 0x0
*Mar  1 16:15:35.514: ISAKMP:(0:34:SW:1):peer does not do paranoid keepalives.

*Mar  1 16:15:35.514: ISAKMP: received ke message (1/1)
*Mar  1 16:15:35.514: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
*Mar  1 16:15:35.514: ISAKMP: Found a peer struct for 190.119.128.103, peer port 500
*Mar  1 16:15:35.514: ISAKMP: Locking peer struct 0x4682E100, IKE refcount 1 for isakmp_initiator
*Mar  1 16:15:35.514: ISAKMP:(0:0:N/A:0):Setting client config settings 467F44F8
*Mar  1 16:15:35.514: ISAKMP: local port 500, remote port 500
*Mar  1 16:15:35.514: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 4694BE00
*Mar  1 16:15:35.514: ISAKMP:(0:0:N/A:0): client mode configured.
*Mar  1 16:15:35.514: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-07 ID
*Mar  1 16:15:35.514: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-03 ID
*Mar  1 16:15:35.514: ISAKMP:(0:0:N/A:0): constructed NAT-T vendor-02 ID
*Mar  1 16:15:35.554: ISKAMP: growing send buffer from 1024 to 3072
*Mar  1 16:15:35.554: ISAKMP:(0:35:SW:1):SA is doing pre-shared key authentication plus XAUTH using id type ID_KEY_ID
*Mar  1 16:15:35.554: ISAKMP (0:134217763): ID payload
        next-payload : 13
        type         : 11
        group id     : VPN-MIRANDA
        protocol     : 17
        port         : 0
        length       : 19
*Mar  1 16:15:35.554: ISAKMP:(0:35:SW:1):Total payload length: 19
*Mar  1 16:15:35.554: ISAKMP:(0:35:SW:1):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_AM
*Mar  1 16:15:35.554: ISAKMP:(0:35:SW:1):Old State = IKE_READY  New State = IKE_I_AM1

*Mar  1 16:15:35.554: ISAKMP:(0:35:SW:1): beginning Aggressive Mode exchange
*Mar  1 16:15:35.554: ISAKMP:(0:35:SW:1): sending packet to 190.119.128.103 my_port 500 peer_port 500 (I) AG_INIT_EXCH
*Mar  1 16:15:45.558: ISAKMP:(0:35:SW:1): retransmitting phase 1 AG_INIT_EXCH...
*Mar  1 16:15:45.558: ISAKMP (0:134217763): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar  1 16:15:45.558: ISAKMP:(0:35:SW:1): retransmitting phase 1 AG_INIT_EXCH
*Mar  1 16:15:45.558: ISAKMP:(0:35:SW:1): sending packet to 190.119.128.103 my_port 500 peer_port 500 (I) AG_INIT_EXCH

Thanks,

KC

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kathy-kat

‎03-01-2011 11:19 PM

Can you try with removing the following line:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  pfs group2

Also this line has way too many policies:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  transform-set   ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5  ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA  ESP-DES-MD5

Can you please change it to:

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set  transform-set ESP-3DES-SHA

So phase 1 is up, however, phase 2 seems to be stuck.

0 Helpful

Go to solution
kathy-kat
Level 1
Level 1
In response to Jennifer Halim

‎03-02-2011 10:23 AM

Thanks Jennifer!!

Finally my VPN is active!! The problem was the firewall of my ISP on router. I made some changes in the config on my Easy Client VPN and my Easy Server VPN.

Here the leyend:

ASA LAN (192.168.0.1/16)

Router Remote LAN (10.50.15.0/24)

There is:

ASA (Easy VPN Server)

crypto isakmp enable Outside

crypto isakmp policy 10
 authen pre-share
 encrypt 3des
 sha
 group 2
 lifetime 86400

sysopt connection permit-vpn


username cisco123 password cisco123 privilege 0
username cisco123 attributes
  password-storage enable
  vpn-group-policy VPN-MIRANDA

group-policy VPN-MIRANDA internal
group-policy VPN-MIRANDA attributes
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value Tunnel_Miranda
  nem enable



access-list Tunnel_Miranda permit ip 192.168.0.0 255.255.0.0 10.50.15.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.0.0 10.50.15.0 255.255.255.0
 
nat (Inside) 0 nonat

tunnel-group VPN-MIRANDA type remote-access
tunnel-group VPN-MIRANDA general-attributes
  default-group-policy VPN-MIRANDA
  
tunnel-group VPN-MIRANDA ipsec-attributes
  pre-shared-key Cisco1234

crypto ipsec transform-set Miranda-VPN esp-3des esp-sha-hmac
crypto ipsec transform-set Miranda-VPN esp-aes-256 esp-md5-hmac
crypto ipsec transform-set Miranda-VPN esp-des esp-sha-hmac
crypto ipsec transform-set Miranda-VPN esp-des esp-md5-hmac
crypto ipsec transform-set Miranda-VPN esp-aes-192 esp-md5-hmac
crypto ipsec transform-set Miranda-VPN esp-3des esp-md5-hmac
crypto ipsec transform-set Miranda-VPN esp-aes-256 esp-sha-hmac
crypto ipsec transform-set Miranda-VPN esp-aes esp-sha-hmac
crypto ipsec transform-set Miranda-VPN esp-aes-192 esp-sha-hmac
crypto ipsec transform-set Miranda-VPN esp-aes esp-md5-hmac


crypto dynamic-map conexion-miranda-vpn 65535 set reverse-route
crypto dynamic-map conexion-miranda-vpn 65535 set transform-set Miranda-VPN 

crypto map conexion-miranda 65535 ipsec-isakmp dynamic conexion-miranda-vpn
crypto map conexion-miranda interface  Outside

And the config in my client is:

crypto ipsec client ezvpn Router-Miranda-VPN
connect auto
group VPN-MIRANDA key Cisco1234
local-address FastEthernet0/0
mode network-extension
peer 190.202.84.32
username cisco123 password cisco123

xauth userid mode local

nterface FastEthernet0/0
description Conexion WAN
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn Router-Miranda-VPN

interface FastEthernet0/1
description LAN-Miranda
ip address 10.50.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
crypto ipsec client ezvpn Router-Miranda-VPN inside

ip route 192.168.0.0 255.255.0.0 FastEthernet0/0

ip nat inside source list nonat interface FastEthernet0/0 overload

ip access-list extended nonat
deny   ip 10.50.15.0 0.0.0.255 192.168.0.0 0.0.255.255
permit ip any any

The remote can access to Internet with a VPN Connection and without that, the problem that we have is that the two networks can not access, i mean, the PC on Router´s Netwoork does not see any server in ASA´s networks.

But I can see the tunnel active with teh command sho crypto session on my router and show crypto isakmp on my ASA.

Regards,

KC

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kathy-kat

‎03-02-2011 02:47 PM

Very good, we are moving a step closer.

On the ASA, your split tunnel access-list is extended ACL, please change it to standard ACL as follows:

no access-list Tunnel_Miranda permit ip 192.168.0.0 255.255.0.0 10.50.15.0 255.255.255.0
access-list Tunnel_Miranda standard permit 192.168.0.0 255.255.0.0

You mention that you can't access the server. Can you enable the following:

management-access Inside

and check if you can ping the ASA Inside interface ip address after the above command is added.

If you can, then it doesn't seem to be a configuration issue. You might want to check if the server has any firewall enabled that might be blocking inbound connection from  different subnets. See if you can access anything else within the same subnet.

Lastly, please share the output of:

show cry ipsec sa

0 Helpful

Go to solution
kathy-kat
Level 1
Level 1
In response to Jennifer Halim

‎03-04-2011 08:07 AM

Thanks Jennifer!!

Your advise work for me!! I made the change in the access -list and then I enable the management-access Inside, and finally i can see traffic between both networks.

But, I can see some host and servers, the others not. That could be a problem into the customer´s LAN. But I have one question, could you tell me why works with a standard access-list and with a extended does not.

Best Regards,

KC

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kathy-kat

‎03-04-2011 11:34 PM

It is supposed to be configured with standard access-list on ASA as per design.

Here is the command reference that states that for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1404816

0 Helpful

Go to solution
kathy-kat
Level 1
Level 1
In response to Jennifer Halim

‎03-09-2011 10:26 AM

Hello Jennifer!!

There is some problems with the traffic in two networks, seems like some traffic to the networks 192.168.0.0/16 (ASA LAN) go through the tunnel but other traffic is going to the Internet.

I put an access-list in the ASA:

Inside access in: permit ip any 10.50.15.0 255.255.255.0 (Remote Network) ( with a lot of macth)

Outside access in: permt ip 10.50.15.0 255.255.255.0 any

solo la lista de acceso en la interfaz inside hace match, la otra lista de acceso hace match cuando utilizo el packet tracert en el ASA

The servers that I can access are:192.68.0.5, 192.168.0.6, 192.168.0.102 and 192.168.0.10.

The servers that I can not access are: 192.168.0.9, 192.168.0.100 and 192.168.0.81.

All the server belong to the same network.

Here is the tracert from my PC, wich is in the Remote Network:

C:\Documents and Settings\kcastillo>tracert 192.168.0.5

Traza a 192.168.0.5 sobre caminos de 30 saltos como máximo.

  1    <1 ms    <1 ms    <1 ms  10.50.15.1
  2   249 ms   250 ms   256 ms  192.168.0.5

Traza completa.

C:\Documents and Settings\kcastillo>tracert 192.168.0.9

Traza a 192.168.0.9 sobre caminos de 30 saltos como máximo.

  1    <1 ms    <1 ms    <1 ms  10.50.15.1
  2     *        *        *     Tiempo de espera agotado para esta solicitud.
  3     *        *        *     Tiempo de espera agotado para esta solicitud.
  4     *        *        *     Tiempo de espera agotado para esta solicitud.
  5     *        *        *     Tiempo de espera agotado para esta solicitud.
  6     *        *        *     Tiempo de espera agotado para esta solicitud.

If I try to do ping from router the packet is failed.

Router-Miranda#ping 192.168.0.85

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.85, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

But If i try to do ping from the inside interface on Router to inside interface on ASA, the packet pass.

Router-Miranda#ping 192.168.0.85 source fastEthernet 0/1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.85, timeout is 2 seconds:
Packet sent with a source address of 10.50.15.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/41/48 ms

I have the same situacion on ASA, I mean if the ping is going from inside interface from Router ( Pass)

192.168.0.85: Ip address in interface inside on ASA

Any idea?

Regards,

KC

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kathy-kat

‎03-09-2011 04:40 PM

Yes, you can only ping by sourcing the ping from the LAN interface because that is what is supposed to be encrypted through the tunnel, ie: between LAN subnet to LAN subnet. If you just ping straight out from the router, the ping will be sourced from the router external interface, hence ping will fail which is correct behaviour.

Base on your explaination, you can access some hosts but not some others that are in the same LAN. This straight away point me to believe that it has nothing to do with configuration nor VPN on both the ASA and router. Because everything is setup between LAN to LAN subnets, so if you can access just 1 ip address within that subnet, you should be able to access everything else on that subnet.

I would actually check the server itself and see if there is anything that might prevent the access. A few things to check on the server:

- correct default gateway (ie: the same default gateway as other host that works)

- firewall that is not blocking inbound connection from different subnet

0 Helpful

Go to solution
kathy-kat
Level 1
Level 1
In response to Jennifer Halim

‎03-14-2011 11:00 AM

Hello Jennifer!!

I forget write you the last week, the vpn works fine. The problem was the default gateway on servers.

Thanks,

KC

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to kathy-kat

‎03-15-2011 01:37 AM

Thanks for the update, KC. Great to know it's working good now.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents