Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
0
Helpful
1
Replies

Cisco 871 router cannot ping corporate network space over IPsec vpn.

jkeeffe
Level 2
Level 2

‎12-08-2006 11:50 AM - edited ‎02-21-2020 02:45 PM

We have an 871 configured as an Ezvpn client in network extention mode. We have outbound shaping and QOS applied to the virtual-template interface to prioritize voice and all that is working great.

The problem is that from the 871 itself I cannot ping anything on our corporate network space. If I do an extended ping and use the 871 vlan1 interface IP address as the source I can ping back to the corporate network.

Here is the routing table in the 871 once the IPsec tunnel comes up:

871RT_232#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 67.168.2.1 to network 0.0.0.0

68.0.0.0/32 is subnetted, 1 subnets

S 68.87.69.16 [254/0] via 67.168.2.1, FastEthernet4

S 172.26.0.0/16 [1/0] via 0.0.0.0, Virtual-Access2

172.28.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.28.0.232/29 is directly connected, Vlan1

S 172.28.0.0/16 [1/0] via 0.0.0.0, Virtual-Access2

67.0.0.0/23 is subnetted, 1 subnets

C 67.168.2.0 is directly connected, FastEthernet4

S 192.168.1.0/24 [1/0] via 0.0.0.0, Virtual-Access2

S 164.72.0.0/16 [1/0] via 0.0.0.0, Virtual-Access2

S 192.254.2.0/24 [1/0] via 0.0.0.0, Virtual-Access2

192.254.3.0/32 is subnetted, 1 subnets

S 192.254.3.10 [1/0] via 67.168.2.1

S* 0.0.0.0/0 [254/0] via 67.168.2.1

871RT_232#

Our main corporate network space is the 164.72.0.0 network.

All the static routes that point to Virtual-Access2 are injected from the 3030 concentrator headend when the 871 brings up the IPsec tunnel.

Again the PC and IP phone plugged into the 871 can access services on the 164.72.0.0 network, but the router itself cannot - unless I use the extended ping function.

I need the 871 to be able to send snmp traffic to network management consoles on the 164.72.0.0 network as well as get its NTP (or SNTP) clock from that network.

Any ideas - any fancy static routing I need to do in the 871?

Labels:
0 Helpful
1 Reply 1

Daniel.M.Edwards
Level 1
Level 1

‎12-08-2006 12:24 PM

Good news and bad news. Good news is you can get SNMP, Telnet, SSH, Radius, NTP, etc... to work. The bad news is you can't get ping to work without using extended ping.

The VPN tunnel entrance is between the Fe4 and Vlan1 interface. By default the 870 series routers likes to use the Fe4 as their source interface. This won't work obviously since it knows nothing about a tunnel entrance.

The fix is pretty simple, they are

logging source [Interface]

ntp source [Interface]

ip [protocol] source [Interface]

Where protocol is SSH,Radius,Telnet, etc...

0 Helpful
Customers Also Viewed These Support Documents