02-22-2013 08:16 AM - edited 02-21-2020 06:43 PM
For an IPSec Point-to-Point VPN there is one device that becomes unreachable (cannot ping or other). The divice is pingable from the LAN at all times. How can I make this device reachable at all times? Below is more detail.
Thanks,
Dan Foxley
192.168.10.8 000f.b53e.ce01 (This is the same MAC when pinging on the local subnet)
IOS VPN Commands (Local Side)
access-list 138 remark PDVCA-To-Sungard
access-list 138 remark CCP_ACL Category=4
access-list 138 permit ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 138 permit ip 192.168.10.0 0.0.0.255 host 192.168.4.16
!
crypto map 3377 1 ipsec-isakmp
set peer 66.XX.XX.XX
set security-association lifetime kilobytes disable
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
match address 138
!
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3 periodic
!
crypto ipsec security-association idle-time 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
PIX VPN Commands (Remote End)
access-list ipsectraffic_pdvcorp-ca_pstn permit ip 192.168.7.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list ipsectraffic_pdvcorp-ca_pstn permit ip host 192.168.4.16 192.168.10.0 255.255.255.0
sysopt connection permit-ipsec
sysopt noproxyarp PDVInflow
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map mymap 25 ipsec-isakmp
crypto map mymap 25 match address ipsectraffic_pdvcorp-ca_pstn
crypto map mymap 25 set pfs group2
crypto map mymap 25 set peer 184.XX.XX.XX
crypto map mymap 25 set transform-set ESP-3DES-SHA
crypto map mymap 25 set security-association lifetime seconds 86400 kilobytes 4608000
crypto map mymap 35 ipsec-isakmp
isakmp identity address
isakmp keepalive 10 3
isakmp nat-traversal 20
isakmp policy 80 authentication pre-share
isakmp policy 80 encryption 3des
isakmp policy 80 hash sha
isakmp policy 80 group 2
isakmp policy 80 lifetime 86400
isakmp policy 110 authentication pre-share
isakmp policy 110 encryption 3des
isakmp policy 110 hash sha
isakmp policy 110 group 2
isakmp policy 110 lifetime 28800
02-22-2013 08:57 AM
If Netgear Switch is Managed then check is there any defaut gateway present. If not enter default Gateway of ASA Interface IP.
02-22-2013 09:11 AM
Jawad,
Thanks for the reply. I double checked, the Netgear switch does have the default gateway populated. Good suggestion, sometimes the basics can be missed.
Dan
02-22-2013 11:30 AM
Well I have been facing such issue with devices like Netgear etc.. Nothing is wrong with your config. For Safe Site you can add a cisco Switch and then monitor it.
02-23-2013 09:42 AM
Jawad,
I'm not sure why then the Netgear Switch has no issue with Ping(other) from the local subnet. How could the Netgear only display this issue if over a VPN, if it is an issue with the Netgear switch?
(Off Topic: But that makes me think, the monitoring software has a remote network agent collector option, which can sit on the local LAN and send data to the remote side).
02-22-2013 01:43 PM
Is that the only device you can not reach when this happens? Have you tested if there may be other devices you are unable to reach as well?
02-23-2013 09:45 AM
Mohammad Ali, (Great name BTW!)
SimilariIy, I monitor a dozen or more devices over this VPN on this remote subnet that the Netgear switch is on, and only the Netgear has the issue.
02-22-2013 11:04 PM
Hi,
you have PFS enabled at the PIX, but not enabled at the router.
PIX: crypto map mymap 25 set pfs group2
did you pay attention to this ? this can cause issues as the peers won't match in phase2 rekeying.
HTH
Mashal
02-23-2013 12:20 PM
try issue one command to the interface connected to netgear switch arp timeout 30 .See it this resolves your issue
02-26-2013 04:08 PM
Mashal,
Thanks for catching this mis-configuration where I was only using PFS one side. Although unrelated, see separate reply (I had a VLAN issue). I've corrected this.
02-28-2013 06:36 PM
Well, I'm all wet. This is not a VPN issue, but an issue with the local subnet router (where the remote host pings the Netgear from). I "assumed" it was a VPN issue because I can ping it from hosts on the local subnet. The local subnet router can't ping the Netgear. There are some ARP debug entries that let me know, I've got a VLAN / ARP, other issue. Thanks for you responsive help. I'll open a new discussion in a more appropiate group on the the supportforums.
470292: *Feb 23 21:26:48.258: IP ARP req filtered src 192.168.10.8 000f.b53e.ce01, dst 192.168.10.1 0000.0000.0000 wrong cable, interface GigabitEthernet0/1
470293: *Feb 23 21:26:48.258: IP ARP req filtered src 192.168.10.8 000f.b53e.ce01, dst 192.168.10.1 0000.0000.0000 wrong cable, interface GigabitEthernet0/0.6
Dan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide