cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3478
Views
5
Helpful
4
Replies

Tunnel Up, But Cannot Ping

JonCommins
Level 1
Level 1

I set up a tunnel from an ASA called SALMONARM to a Cisco 1921 called PG-1921.

I bring up the tunnel by sending some "interesting traffic".

From PG-1921, I run show crypto isakmp sa, and an entry for the tunnel is present, with status ACTIVE

I do the same on SALMONARM, and again the tunnel is present, with status MM_ACTIVE.

So far so good.

I try sending some pings from the inside of the SALMONARM network to the inside of the PG-1921 network.

The pings fail (time out).

I run show crypto ipsec sa peer <PG-1921-WAN-IP> on SALMONARM, and I see 0 encaps and 0 decaps.

This seems to suggest that the pings never leave the SALMONARM ASA.

I believe I've accounted for NAT exemption, and an ACL to allow traffic to the remote network from the internal one.

Here are the configs...
SALMONARM (ASA): http://pastebin.com/raw.php?i=vYDhfe3r
PG-1921 (Cisco 1921): http://pastebin.com/raw.php?i=L6aYhmc9

The tunnel is crypto map PG_TUNNEL_MAP 11 in the SALMONARM config, and crypto map SDM_CMAP_1 5 in the PG-1921 config.

What could I be missing?

1 Accepted Solution

Accepted Solutions

Do you have a router behind the ASA that could have bad routes in it? Are you pinging from the ASA itself or from a device behind it? Can you add the "management-access inside" command and try to ping from the asa using the "ping inside x.x.x.x" command and see if you get encaps then?

Thanks,

Mike

View solution in original post

4 Replies 4

Mike Williams
Level 5
Level 5

Hi Jon,

The configs look pretty good. I would separate out the ISAKMP profiles so each crypto map entry corresponds to a different ISAKMP profile. Also add the "self-identity address" command under the profile.

Another thing, which I can't tell from your config, is the primary ISP is terminating the VPN tunnel? You need to make sure the egress ISP for the 10.45.0.0/16 traffic from the 1921 is the same ISP that is terminating the VPN tunnel.

Everything else looks fine to me.

Regards,

Mike

Hi William.

Yes, the traffic to 10.45.0.0, from the 1921, should be going out the primary ISP interface, the same interface the tunnel should be established over.

Hmm. Sounds like the problem happens before that point however: why is there no encaps on the tunnel at the ASA side when pinging from that side?

Do you have a router behind the ASA that could have bad routes in it? Are you pinging from the ASA itself or from a device behind it? Can you add the "management-access inside" command and try to ping from the asa using the "ping inside x.x.x.x" command and see if you get encaps then?

Thanks,

Mike

No, there are no routers behind the ASA.

Yes, I am pinging from the ASA itself, in the fashion ping inside 10.70.4.17.

Although, I hadn't run the command management-access inside. So, I ran it and tried to ping again.

And it seems that now I can ping across the tunnel!!

Thanks.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: