Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
4
Replies

Cisco ezvpn ASAs can't ping each other's inside interfaces

Go to solution
Adam Hudson
Level 1
Level 1

‎01-26-2016 11:32 AM

I have an ezvpn set up with a 5506 on the client side (Location B) and a 5520 on the server side (Location A). I've got the vpn connected successfully and traffic is flowing. My problem is I can't SSH into Location B. Investigating this more I can't ping either ASA's inside interface from the opposing ASA nor from machines on the inside of each ASA.

I found the following links describing a similar scenario to mine but nothing on any of these helped me.
http://www.experts-exchange.com/questions/28388142/Cannot-ping-ASA-5505-INSIDE-INTERFACE-across-VPN.html
https://www.fir3net.com/Firewalls/Cisco/cisco-asa-proxy-arp-gotcha.html
https://supportforums.cisco.com/discussion/11755586/cisco-asa-vpn-established-cant-ping

I've attached sanitized versions of both configs. Any help is appreciated.

Labels:
Preview file
4 KB
Preview file
5 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jagmeesi
Level 1
Level 1

‎01-26-2016 11:52 AM

Hi Adam

On the B Location i am not able to see "management-access inside" . Please try to configure the same. It might resolve the issue.

Also on the A location ASA's nat statement  can you please try adding "no-proxy-arp route-lookup" keywords as well, 

some thing like:

nat (inside,outside) source static (Location A)_Networks (Location A)_Networks destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup

as i have seen issues with the inside interface access over the VPN when these keywords are not applied. if i remember correcty 8.6.x version of ASA had a bug regarding the same.

Regards

Jagmeet

View solution in original post

0 Helpful
4 Replies 4

Go to solution
jagmeesi
Level 1
Level 1

‎01-26-2016 11:52 AM

Hi Adam

On the B Location i am not able to see "management-access inside" . Please try to configure the same. It might resolve the issue.

Also on the A location ASA's nat statement  can you please try adding "no-proxy-arp route-lookup" keywords as well, 

some thing like:

nat (inside,outside) source static (Location A)_Networks (Location A)_Networks destination static (location B)-remote_network (location B)-remote_network no-proxy-arp route-lookup

as i have seen issues with the inside interface access over the VPN when these keywords are not applied. if i remember correcty 8.6.x version of ASA had a bug regarding the same.

Regards

Jagmeet

0 Helpful

Go to solution
Adam Hudson
Level 1
Level 1
In response to jagmeesi

‎01-26-2016 12:47 PM

Jagmeet, I added "management-access inside" at Location B and I already had "no-proxy-arp route-lookup" on the location A's nat statement, I was just deleted while I was sanitizing.

I still cannot ping inside interfaces.

0 Helpful

Go to solution
Adam Hudson
Level 1
Level 1
In response to Adam Hudson

‎01-27-2016 07:04 AM

I performed a ping test about ten minutes later and they went through, "Management-access inside" ended up working.

0 Helpful

Go to solution
carlguer
Level 1
Level 1

‎01-26-2016 01:51 PM

Hi Adam,

I see that the configuration on one end is this one:

tunnel-group ezvpn type remote-access
tunnel-group ezvpn general-attributes
 default-group-policy ezvpnpolicy
tunnel-group ezvpn ipsec-attributes
 ikev1 pre-shared-key <removed>

But when I tried to look for that group-policy I didn't find anything, could you please share that group-policy with us.

0 Helpful
Customers Also Viewed These Support Documents