Solved: Fail to ping ASA inside port IP from the remote site of L2L VPN with it

matthewik.lee · ‎04-20-2015

The L2L VPN established OK between ASA-1 and ASA-2:

ASA-2# show crypto isakmp sa

KEv1 SAs:

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 207.140.28.102

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

There are no IKEv2 SAs

ISSUE: In 3750-2, we ping 3750-1(10.10.2.253) are OK, but not ASA-1 inside port(10.10.2.254).

Debug icmp data in ASA-1:

ASA-1# debug icmp trace

debug icmp trace enabled at level 1

ICMP echo request from Internet:10.100.2.252 to Server:10.10.2.253 ID=400 seq=0 len=72

ICMP echo reply from Server:10.10.2.253 to Internet:10.100.2.252 ID=400 seq=0 len=72

ICMP echo request from Internet:10.100.2.252 to Server:10.10.2.253 ID=400 seq=1 len=72

ICMP echo reply from Server:10.10.2.253 to Internet:10.100.2.252 ID=400 seq=1 len=72

ICMP echo request from 10.100.2.252 to 10.10.2.254 ID=401 seq=0 len=72

ICMP echo request from 10.100.2.252 to 10.10.2.254 ID=401 seq=1 len=72

ICMP echo request from 10.100.2.252 to 10.10.2.254 ID=401 seq=2 len=72

Mario Jose Mora Vargas · ‎04-20-2015

make sure you have # management access inside

lt me know f that helps-

Mario Jose Mora Vargas · ‎04-20-2015

make sure you have # management access inside

lt me know f that helps-

matthewik.lee · ‎04-20-2015

Dear Mario, it works. Highly appreciating.