Solved: Remote VPN Client cannot ping certain IP

kevinshkong11 · ‎05-21-2014

My Cisco VPN client can establish the vpn tunnel with my office ASA5505 successful but cannot ping to certain IP such as an internal server (10.100.194.6).

FIREWALL-1# ping 10.100.194.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.100.194.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Why cannot I ping to certain IP?

Please help.

Thank you.

Dinesh Moudgil · ‎05-26-2014

Hi Kevin,

Checking the outputs of the captures, it is evident that there is some internal routing issue as we can see the request packets coming from VPN client but there is no reply packet from the server.

Please ensure the server has route for VPN subnet pointing to the firewall.
HTH.

Regards,

Dinesh Moudgil

PS: Please mark helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Dinesh Moudgil · ‎05-21-2014

Hi Kevin,

Please run continuous pings from VPN client for 10.100.194.6 and run the following command:-

capture cap_test interface inside match ip host 10.100.194.6 host <vpn-clients-assigned-ip>

Send the output of "show capture cap_test"

Run "packet-tracer input inside icmp 10.100.194.6 8 0 <vpn-clients-assigned-ip> detailed "
Output of "show vpn-sessiondb detal filter name <username>"

Please refer this link for more details on captures:-
https://supportforums.cisco.com/document/6971/packet-capture-asapix-fwsm

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

kevinshkong11 · ‎05-25-2014

Hi Dinesh,

Please find below for the output.

FIREWALL-1# show capture cap_test
4 packets captured
1: 11:44:38.724358 802.1Q vlan#1 P0 192.168.100.101 > 10.100.194.6: icmp: echo request
2: 11:44:43.724800 802.1Q vlan#1 P0 192.168.100.101 > 10.100.194.6: icmp: echo request
3: 11:44:48.719323 802.1Q vlan#1 P0 192.168.100.101 > 10.100.194.6: icmp: echo request
4: 11:44:53.721535 802.1Q vlan#1 P0 192.168.100.101 > 10.100.194.6: icmp: echo request

FIREWALL-1# show vpn-sessiondb detail remote filter name admin

Session Type: Remote Detailed

Username : admin
Index : 1
Assigned IP : 192.168.100.101 Public IP : 210.195.190.218
Protocol : IPSec Encryption : 3DES
Hashing : SHA1
Bytes Tx : 112 Bytes Rx : 24000
Client Type : WinNT Client Ver : 5.0.07.0410
Group Policy : MISVPN
Tunnel Group : MISVPN
Login Time : 11:15:48 MYT Mon May 26 2014
Duration : 0h:43m:48s
Filter Name :
NAC Result : N/A
Posture Token:

IKE Sessions: 1
IPSec Sessions: 1

IKE:
Session ID : 1
UDP Src Port : 49569 UDP Dst Port : 500
IKE Neg Mode : Aggressive Auth Mode : preSharedKeys
Encryption : 3DES Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 83772 Seconds
D/H Group : 2

IPSec:
Session ID : 2
Local Addr : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 192.168.100.101/255.255.255.255/0/0
Encryption : 3DES Hashing : SHA1
Encapsulation: Tunnel
Rekey Int (T): 28800 Seconds Rekey Left(T): 26169 Seconds
Idle Time Out: 30 Minutes Idle TO Left : 30 Minutes
Bytes Tx : 112 Bytes Rx : 24060
Pkts Tx : 4 Pkts Rx : 401

Thank you.

Regards

Kevin

Dinesh Moudgil · ‎05-26-2014

Hi Kevin,

Checking the outputs of the captures, it is evident that there is some internal routing issue as we can see the request packets coming from VPN client but there is no reply packet from the server.

Please ensure the server has route for VPN subnet pointing to the firewall.
HTH.

Regards,

Dinesh Moudgil

PS: Please mark helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/