12-04-2017 11:59 AM - edited 03-12-2019 04:47 AM
Hi there,
I am having some issues with traceroute over IPSec VPN IKEv2 between 2 ASAs. When traceroute from a host behind any of the 2 ASAs towards the Internet everything works fine but when tried to trace route from a host behind ASA in site A to a host behind ASA in site the trace does not work.
What am missing?
Thank in advance.
Regards,
Remy
12-04-2017 06:40 PM
Hi @remi-reszka
Try to add similar config on your ASA:
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-group outside_access_in in interface outside
-If I helped you somehow, please, rate it as useful.-
12-05-2017 05:28 AM
Thanks but on both ASAs I have already configured the following:
!
icmp unreachable rate-limit 10 burst-size 5
!
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any traceroute
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
!
access-group outside_access_in in interface outside
!
policy-map global_policy
class inspection_default
inspect icmp
inspect icmp error
class class-default
set connection decrement-ttl
!
So to speak and as I mentioned before the traceroute is working fine from INSIDE towards the Internet (OUTSIDE) however between 2 hosts on different INSIDE networks which is behind each ASA and over VPN is not not working. The first hop which is ASA already gives me an *.
Any other clues? Will it work at all the traceroute over VPN?
Thanks!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide