Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4523
Views
0
Helpful
3
Replies

traceroute across a tunnel.

hanwucisco
Level 1
Level 1

‎12-20-2010 07:07 AM

Server----------Gateway----Checkpoint======VPN Tunnel======ASA-----inside networks------my PC.

We were testing the ASA. From my PC doing a traceroute, I can get response from ASA, and server, but the two hops between are with no response, the ASA log says: “ the decapsulated packet doesn’t match the policy of the SA.” But a RDP to the server seems to be fine.

Any idea?

Thanks,

Han

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-20-2010 08:56 AM

Han,

A lot of guesswork... let's try to sniff the traffic and see what ICMP unreachables are sent :-)
Later on we can compare them to crypto ACLs.

What the message means:

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4772678

Looks like you're receiving a packet encrypted with SPI which is not matching prxy IDs on your side.

Marcin

0 Helpful

hanwucisco
Level 1
Level 1
In response to Marcin Latosiewicz

‎12-20-2010 10:14 AM

You know, one thing that confuses me is that, the replying packets from both the server and the other two hops before it are supposed to be encrypted in the same fashion and by the same tunnel end, right? in what senarios, you can get the server reply and the two don't?

thanks,

Han

0 Helpful

Jay Young
Cisco Employee
Cisco Employee
In response to hanwucisco

‎12-20-2010 11:39 AM

Hanwucisco,

In your lan to lan you probably have the proxy IDs configured for PC subnet to Server subnet.  This means only traffic from the server to your client should traverse the tunnel.

In the traceroute the other end of the vpn link (the checkpoint) is receiving the traceroute packet and the expiring ttl.  It should generate an icmp unreachable message.  The icmp message will be sourced from the Checkpoint itself and destined back to the PC.  I am guessing that the checkpoint is taking that icmp message and sending it across the tunnel.

The ASA is receiving the packet decrypting it and noticing that the packet is sourced from the Checkpoint.  Because the packet's source does not match the proxies negotiated we think this is a security risk and drop the packet.

This is working correctly!  If you wish to make traceroute work across the tunnel you would need to include the checkpoint's ip address to the pc subnet in the tunnel.

-Jay

0 Helpful
Customers Also Viewed These Support Documents