Solved: site to site vpn icmp packets drops

egyptology · ‎02-01-2015

Hi,

I test site site vpn between ASA & cisco router with GNS3, topology is basic the tunnel is up but the issue when ping remote host from both sides there are icmp drops, show command on both router and ASA don't include droppings. below is a sample of ping output when i try to ping remote client. any help is appreciated :)

topology snapshot is attached, also configs

Thanks

84 bytes from 10.20.20.5 icmp_seq=59 ttl=63 time=79.004 ms
10.20.20.5 icmp_seq=60 timeout
84 bytes from 10.20.20.5 icmp_seq=61 ttl=63 time=70.004 ms
10.20.20.5 icmp_seq=62 timeout
84 bytes from 10.20.20.5 icmp_seq=63 ttl=63 time=59.004 ms
10.20.20.5 icmp_seq=64 timeout
84 bytes from 10.20.20.5 icmp_seq=65 ttl=63 time=50.003 ms
10.20.20.5 icmp_seq=66 timeout
84 bytes from 10.20.20.5 icmp_seq=67 ttl=63 time=59.003 ms
10.20.20.5 icmp_seq=68 timeout
84 bytes from 10.20.20.5 icmp_seq=69 ttl=63 time=50.003 ms
10.20.20.5 icmp_seq=70 timeout
84 bytes from 10.20.20.5 icmp_seq=71 ttl=63 time=58.003 ms
10.20.20.5 icmp_seq=72 timeout
84 bytes from 10.20.20.5 icmp_seq=73 ttl=63 time=50.003 ms
10.20.20.5 icmp_seq=74 timeout
84 bytes from 10.20.20.5 icmp_seq=75 ttl=63 time=69.004 ms
10.20.20.5 icmp_seq=76 timeout
84 bytes from 10.20.20.5 icmp_seq=77 ttl=63 time=237.013 ms
10.20.20.5 icmp_seq=78 timeout

R1#sh crypto ipsec sa

interface: FastEthernet0/0
Crypto map tag: map, local addr 100.100.100.2

   protected vrf: (none)
   local ident (addr/mask/prot/port): (10.20.20.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.20.10.0/255.255.255.0/0/0)
   current_peer 100.100.100.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 14, #pkts encrypt: 14, #pkts digest: 14
    #pkts decaps: 28, #pkts decrypt: 28, #pkts verify: 28
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

ciscoasa# sh crypto isakmp stats

Global IKEv1 Statistics
Active Tunnels:              1
Previous Tunnels:            1
In Octets:                1384
In Packets:                 12
In Drop Packets:             0
In Notifys:                  8
In P2 Exchanges:             0
In P2 Exchange Invalids:     0
In P2 Exchange Rejects:      0
In P2 Sa Delete Requests:    0
Out Octets:               1576
Out Packets:                13
Out Drop Packets:            0
Out Notifys:                16
Out P2 Exchanges:            1
Out P2 Exchange Invalids:    0
Out P2 Exchange Rejects:     0
Out P2 Sa Delete Requests:   0
Initiator Tunnels:           1
Initiator Fails:             0
Responder Fails:             0
System Capacity Fails:       0
Auth Fails:                  0
Decrypt Fails:               0
Hash Valid Fails:            0
No Sa Fails:                 0

Poonam Garg · ‎02-02-2015

Hi,

On router R1 you have given the default route as exit interface. Instead of using exit interface change it to next hop IP address. It will solve the issue of ping drop.

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip route 0.0.0.0 0.0.0.0 100.100.100.1

HTH

"Please rate useful posts and mark the answer correct if it solves the issue."

View solution in original post

Poonam Garg · ‎02-02-2015

Hi,

On router R1 you have given the default route as exit interface. Instead of using exit interface change it to next hop IP address. It will solve the issue of ping drop.

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

ip route 0.0.0.0 0.0.0.0 100.100.100.1

HTH

"Please rate useful posts and mark the answer correct if it solves the issue."

egyptology · ‎02-03-2015

Many thanks Poonam really appreciated.

savit54 · ‎07-24-2022

thanks its working.