IPSec traceroute problem.

hanwucisco · ‎10-05-2011

Me ----(*.*.150.145) R1(*.*.150.21)=====IPsec=======(*.*.90.94)R2(*.*.90.92)---(Router(*.*.90.49))-Server.

C:\Documents and Settings\Administrator.>tracert *.*.60.31

Tracing route to *.*.60.31]

over a maximum of 30 hops:

1 32 ms <1 ms <1 ms x.x.43.129

2 1 ms <1 ms <1 ms x.x.5.13

3 1 ms <1 ms <1 ms x.x.150.145

4 * * * Request timed out.

5 * * * Request timed out.

6 36 ms 36 ms 36 ms *.*.60.31

Trace complete.

We want entries 4 and 5 to show themselves, like entries 1, 2 and 3. We only admin the left devices of the diagram.

I tried to put Permit ICMP any any to the crypto map on the tunnel. they showed. but when I put specific IP as 90.92 and 90.49 instead of any any. It became the same as the copied above. The log at ASDM show the coming back packet from *.*. 90.92 was " Adecapsulated IPsec does not match the negotiated identity. The peer is sending other traffic through this security association.".

I cannot figure out why? I opened a cisco case, they said the configuraiton is fine. Any idea?

thanks,

Han

Herbert Baerten · ‎10-13-2011

Han,

Can you clarify the topology a bit? It shows *.*.90.49 twice? What is the ip on the "left side" of 'router' ?

Who are x.x.43.129 and x.x.5.13 ?

What kind of devices are R1, R2 and "Router" ? Since you mention ASDM I guess R1 is an ASA?

I assume *.*.60.31 is the server?

Next, when you modify the crypto ACL, do you do this only on R1 or also on R2?

Can you post the *exact* line you tried to add?

Does the log message say the packet is coming from *.*. 90.92 ? That seems strange, I would expect only to see packets coming from interfaces towards "Me".

Herbert