08-18-2015 02:33 PM - edited 02-21-2020 08:24 PM
Hi Everyone,
Here is setup
Server1----Layer 2 switch---ASA1---L2 tunnel----ASA2----Layer2 tunnel----ASA3----Layer 2 Switch----Server2.
Server1 IP 10.31.2.83/28
Server2 IP 10.31.2.35/28
Server1 has its default gateway to ASA1
Server1 can ping the ASA1 but can not ping the server2.
ASA1 also can not ping to server2.
ping 10.31.2.35
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.31.2.35, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
ASA2 can ping the Server2
ping 10.31.2.35
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.31.2.35, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA2 can ping the server1
ping 10.31.2.83
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.31.2.83, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ACL is allowing traffic,routing is there,crypto map is also allowing the traffic.
What else can i check?
Any help is appreciated.
Regards
Mahesh
Solved! Go to Solution.
08-19-2015 04:54 AM
I don't understand what you mean with Layer2 Tunnel. Is it relevant for this Issue?
Is IPsec involved?
Did you do any basic Layer3 troubleshooting? Verifying routing information?
1) Does the ASA2 have 2 interfaces, one for each tunnel?
2) Does ASA2 have only one interface for both tunnels?
The following command will help you on all three ASAs:
sh route
sh crypto map
sh crypto ipsec sa (look for packet counters on the SAs)
Best regards, MiKa
08-20-2015 04:48 AM
Exactly,
if a packet has to go out the same interface it came in you need to have same-security-traffic permit intra-interface, otherwise the packet is dropped.
Rgds, MiKa
08-19-2015 04:54 AM
I don't understand what you mean with Layer2 Tunnel. Is it relevant for this Issue?
Is IPsec involved?
Did you do any basic Layer3 troubleshooting? Verifying routing information?
1) Does the ASA2 have 2 interfaces, one for each tunnel?
2) Does ASA2 have only one interface for both tunnels?
The following command will help you on all three ASAs:
sh route
sh crypto map
sh crypto ipsec sa (look for packet counters on the SAs)
Best regards, MiKa
08-19-2015 07:24 AM
Hi Mika,
Yes IPsec is involved.
How can i check and verify if ASA2 have two or single interface for each tunnel?
ASA has subinterfaces.
No this is not checked ---Do you same-security-traffic permit intra-interface
Yes ASA2 have the follwoing routes.
Yes ASA2 include the crypto ACL towards both ASA1 and ASA2.
Regards
Mahesh
08-19-2015 08:32 PM
Hi Mika,
You are best I figure out that ASA was using same interface for both tunnels.
After that I enable the same-security-traffic permit intra-interface.
As soon I did this ping worked fine.
You save my Day.
Really appreciate your help.
Need to confirm below
So I am trying to understand this as ping traffic from ASA1 comes to ASA2 on say interface x then
ASA2 checks the routing for destination address in its routing table and find that it has to go via same interface x then ASA2 drops the ping packet right???
Regards
Mahesh
08-20-2015 04:48 AM
Exactly,
if a packet has to go out the same interface it came in you need to have same-security-traffic permit intra-interface, otherwise the packet is dropped.
Rgds, MiKa
08-20-2015 07:27 AM
Many thanks
Mahesh
08-19-2015 12:32 PM
You can use VPN for secure your internet connection, unblock internet censorship and hide your IP address.
08-19-2015 02:08 PM
what are you talking about?
All these tunnels are in our internal network
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide