cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

424
Views
0
Helpful
8
Replies
Highlighted
Beginner

VTI endpoints can't be pinged by LAN clients

Hello,

I setup simple lab environment in GNS3 and found interesting problem. Used setup from https://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html#wp1080079(Configuration Examples for IPsec Virtual Tunnel Interface). So in this simple setup, tunnel interface is UP, from the router I can ping everything, but from the server on left and right side I can't ping tunnel endpoint or LAN IP of the other router. I have no idea why, it's totally not logical, servers are using LAN IP as default gateway.

 

So workstation PC1 can ping tunnel IP on R1 but can't ping tunnel IP on R2. Both ends have proper routes otherwise I wouldn't be able to ping "lan" interface from the router on the other side of the tunnel.

8 REPLIES 8
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: VTI endpoints can't be pinged by LAN clients

Hello Damir,

Does R2 have a route to the network PC1 is on in its routing table?

 

 

Beginner

Re: VTI endpoints can't be pinged by LAN clients

Yes it does. I can ping LAN interface (def gw of pc1) of R1 from R2. 
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: VTI endpoints can't be pinged by LAN clients

Can you provide the configuration please?

Are you using a dynamic routing protcol?

Beginner

Re: VTI endpoints can't be pinged by LAN clients

R1:

 

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key Cisco12345 address 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile P1
set transform-set T1

interface Tunnel0
 ip address 10.0.51.203 255.255.255.0
 ip ospf mtu-ignore
 load-interval 30
 tunnel source 10.0.149.203
 tunnel mode ipsec ipv4
 tunnel destination 10.0.149.217
 tunnel protection ipsec profile P1
!
interface FastEthernet0/0
 ip address 10.0.35.203 255.255.255.0
duplex full
interface Ethernet2/0
 ip address 10.0.149.203 255.255.255.0
 duplex full
!
ip route 10.0.36.0 255.255.255.0 Tunnel0

R2

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key Cisco12345 address 0.0.0.0
!
!
crypto ipsec transform-set T1 esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile P1
 set transform-set T1
!
interface Tunnel0
 ip address 10.0.51.217 255.255.255.0
 ip ospf mtu-ignore
 tunnel source 10.0.149.217
 tunnel mode ipsec ipv4
 tunnel destination 10.0.149.203
 tunnel protection ipsec profile P1
!
interface FastEthernet0/0
 ip address 10.0.36.217 255.255.255.0
 duplex full

interface Ethernet2/0
 ip address 10.0.149.217 255.255.255.0
 duplex full
!
ip route 10.0.35.0 255.255.255.0 Tunnel0

PC1 config:

 

NAME   IP/MASK              GATEWAY           MAC                LPORT  RHOST:PORT
PC1    10.0.35.21/24        10.0.35.203       00:50:79:66:68:00  10018  127.0.0.1:10019
       fe80::250:79ff:fe66:6800/64

PC1> ping  10.0.51.217
10.0.51.217 icmp_seq=1 timeout
10.0.51.217 icmp_seq=2 timeout
10.0.51.217 icmp_seq=3 timeout
10.0.51.217 icmp_seq=4 timeout
10.0.51.217 icmp_seq=5 timeout

PC1> trace  10.0.51.217
trace to 10.0.51.217, 8 hops max, press Ctrl+C to stop
 1   10.0.35.203   4.500 ms  9.395 ms  9.508 ms
 2     *  *  *
 3     *  *  *
 4     *  *  *
 5     *  *  *
 6     *  *  *
 7     *  *  *
 8     *  *  *

R1 debug ICMP and Debug IP

 

*Jan 27 20:21:10.245: IP: tableid=0, s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217 (Tunnel0), routed via FIB
*Jan 27 20:21:10.245: ICMP: time exceeded (time to live) sent to 10.0.35.21 (dest was 10.0.51.217), topology BASE, dscp 0 topoid 0
*Jan 27 20:21:10.249: IP: tableid=0, s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), routed via FIB
*Jan 27 20:21:10.249: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending
*Jan 27 20:21:10.253: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending full packet
*Jan 27 20:21:10.253: IP: s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217, len 92, input feature, packet consumed, MCI Check(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jan 27 20:21:10.253: IP: tableid=0, s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217 (Tunnel0), routed via FIB
*Jan 27 20:21:10.253: ICMP: time exceeded (time to live) sent to 10.0.35.21 (dest was 10.0.51.217), topology BASE, dscp 0 topoid 0
*Jan 27 20:21:10.253: IP: tableid=0, s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), routed via FIB
*Jan 27 20:21:10.253: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending
*Jan 27 20:21:10.253: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending full packet
*Jan 27 20:21:10.257: IP: s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217, len 92, input feature, packet  consumed, MCI Check(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Jan 27 20:21:10.265: IP: tableid=0, s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217 (Tunnel0), routed via FIB
*Jan 27 20:21:10.265: ICMP: time exceeded (time to live) sent to 10.0.35.21 (dest was 10.0.51.217), topology BASE, dscp 0 topoid 0
*Jan 27 20:21:10.265: IP: tableid=0, s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), routed via FIB
*Jan 27 20:21:10.265: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending
*Jan 27 20:21:10.265: IP: s=10.0.35.203 (local), d=10.0.35.21 (FastEthernet0/0), len 56, sending full packet
*Jan 27 20:21:10.265: IP: s=10.0.35.21 (FastEthernet0/0), d=10.0.51.217, len 92, input feature, packet consumed, MCI Check(92), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: VTI endpoints can't be pinged by LAN clients

So, PC1 on 10.0.35.21/24 with a DG of R1 on 10.0.35.203 is pinging 10.0.51.217

R1 only has a static route of "ip route 10.0.36.0 255.255.255.0 Tunnel0" you'd need to route
10.0.51.0/24 through the Tunnel0. As this is a GNS3 lab, you'd be better off running a routing protocol and advertising all networks.

Beginner

Re: VTI endpoints can't be pinged by LAN clients

10.51.0.0/24 is Tunnel network directly connected to both R1 and R2 so they should both know where is it. When packet from VPC1 comes to R1, R1 knows where is it and should just route packet to int Tunnel0. R2 has a returning route so I don't really know what's the problem.

VIP Advisor RJI VIP Advisor
VIP Advisor

Re: VTI endpoints can't be pinged by LAN clients

Yes, you are right, I overlooked the fact 10.0.51.0/24 is the tunnel subnet.

I tweaked my lab running CSR1000v routers to match your setup, repeating the same test the PC can ping the other routers' IP addresses. So your configuration looks ok.

Is the PC you using a Windows VM? it doesn't look it from the output you previously provided.

Beginner

Re: VTI endpoints can't be pinged by LAN clients

It's what's available in GNS3 😊. It was either that or my host, I can try replacing the PC with another router and see what happens. But now you see why I am confused and frustrated :D