cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
510
Views
0
Helpful
6
Replies
Highlighted
Beginner

IPsec phase 2 getting completed but not able to ping remote network.

Hi,

I am configuring a site-2-site vpn connection between ASA5505 and Checkpoint firewall.

In the logs it shows that IPsec phase 1 and 2 are getting completed but when my remote network tries to ping my local lan network it shows connection denied ICMP src XXXXX to dst XXXX denied (reason-8).

Please help me outto fix this issue,

Best regards,

Pulkit

6 REPLIES 6
Highlighted
Enthusiast

Re: IPsec phase 2 getting completed but not able to ping remote

I would suggest to run a packet tracer on the ASA to see if the packet is flowing through fine or where its getting dropped. Also see if there are any vpn filters configured for the tunnel?

See if other traffic is flowing fine through the tunnel. If yes, then check the icmp commands on the ASA to make sure its not blocked.

Highlighted
Beginner

Re: IPsec phase 2 getting completed but not able to ping remote

Hi.

No VPN filter is applied.

In packet tracer also the packet is showing denied.

Attaching the configuration for your reference,

Best regards,

Pulkit

Highlighted
Enthusiast

Re: IPsec phase 2 getting completed but not able to ping remote

remove the management-only command from the management interface( which I assume is the LAN interface). And check logs to see if you seeing any particular error messages. Set the logging buffered to debugging.

Highlighted
Beginner

Re: IPsec phase 2 getting completed but not able to ping remote

Hi,

3 site to site VPN are already working on the same config but for dest. 172.25.66.0 network its not working.

I tried packet traker also it shows the packet is denied by access rule.

Is it possible tha Checkpoint isblocking the flow.

Kindly suggest.

Regards,

Pulkit

Beginner

Re: IPsec phase 2 getting completed but not able to ping remote

Hi,

I dont see any Tx packets in VPN details. But shows RX bits.

Kindly suggest.

Highlighted
Cisco Employee

Re: IPsec phase 2 getting completed but not able to ping remote

hi Pulkit,

could you attach the packet-tracer output here? we could have a look at that and get back to you with something then!