Re: Traceroute not working over IPSec VPN with 2 ASAs and between hosts in different sites

remi-reszka · ‎12-04-2017

Hi there,

I am having some issues with traceroute over IPSec VPN IKEv2 between 2 ASAs. When traceroute from a host behind any of the 2 ASAs towards the Internet everything works fine but when tried to trace route from a host behind ASA in site A to a host behind ASA in site the trace does not work.

What am missing?

Thank in advance.

Regards,

Remy

Flavio Miranda · ‎12-04-2017

Hi @remi-reszka

Try to add similar config on your ASA:

access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable

access-group outside_access_in in interface outside

-If I helped you somehow, please, rate it as useful.-

remi-reszka · ‎12-05-2017

Thanks but on both ASAs I have already configured the following:

!

icmp unreachable rate-limit 10 burst-size 5

!

access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded

!

access-group outside_access_in in interface outside

!

policy-map global_policy

class inspection_default

inspect icmp
inspect icmp error

class class-default
set connection decrement-ttl
!

So to speak and as I mentioned before the traceroute is working fine from INSIDE towards the Internet (OUTSIDE) however between 2 hosts on different INSIDE networks which is behind each ASA and over VPN is not not working. The first hop which is ASA already gives me an *.

Any other clues? Will it work at all the traceroute over VPN?

Thanks!