cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1249
Views
0
Helpful
6
Replies

IPsec phase 2 getting completed but not able to ping remote network.

pulkit.sharma
Level 1
Level 1

Hi,

I am configuring a site-2-site vpn connection between ASA5505 and Checkpoint firewall.

In the logs it shows that IPsec phase 1 and 2 are getting completed but when my remote network tries to ping my local lan network it shows connection denied ICMP src XXXXX to dst XXXX denied (reason-8).

Please help me outto fix this issue,

Best regards,

Pulkit

6 Replies 6

rahgovin
Level 4
Level 4

I would suggest to run a packet tracer on the ASA to see if the packet is flowing through fine or where its getting dropped. Also see if there are any vpn filters configured for the tunnel?

See if other traffic is flowing fine through the tunnel. If yes, then check the icmp commands on the ASA to make sure its not blocked.

Hi.

No VPN filter is applied.

In packet tracer also the packet is showing denied.

Attaching the configuration for your reference,

Best regards,

Pulkit

remove the management-only command from the management interface( which I assume is the LAN interface). And check logs to see if you seeing any particular error messages. Set the logging buffered to debugging.

Hi,

3 site to site VPN are already working on the same config but for dest. 172.25.66.0 network its not working.

I tried packet traker also it shows the packet is denied by access rule.

Is it possible tha Checkpoint isblocking the flow.

Kindly suggest.

Regards,

Pulkit

Hi,

I dont see any Tx packets in VPN details. But shows RX bits.

Kindly suggest.

hi Pulkit,

could you attach the packet-tracer output here? we could have a look at that and get back to you with something then!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: