Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
561
Views
0
Helpful
7
Replies

Unable to Ping IP across 2 IPsec Tunnels

Go to solution
mahesh18
Level 6
Level 6

‎08-18-2015 02:33 PM - edited ‎02-21-2020 08:24 PM

Hi Everyone,

 

Here is setup

 

Server1----Layer 2 switch---ASA1---L2 tunnel----ASA2----Layer2 tunnel----ASA3----Layer 2 Switch----Server2.

 

Server1 IP 10.31.2.83/28

Server2 IP 10.31.2.35/28

Server1 has its default gateway to ASA1

Server1 can ping the ASA1 but can not ping the server2.

ASA1 also can not ping to server2.

ping 10.31.2.35
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.31.2.35, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
 

ASA2 can ping the Server2

 ping 10.31.2.35
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.31.2.35, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
 

ASA2 can ping the server1

ping 10.31.2.83
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.31.2.83, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
 

ACL is allowing traffic,routing is there,crypto map is also allowing the traffic.

What else can i check?

Any help is appreciated.

 

Regards

Mahesh

 

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
m.kafka
Level 4
Level 4

‎08-19-2015 04:54 AM

I don't understand what you mean with Layer2 Tunnel. Is it relevant for this Issue?

Is IPsec involved?

Did you do any basic Layer3 troubleshooting? Verifying routing information?

1) Does the ASA2 have 2 interfaces, one for each tunnel?

  • Does ASA2 have the following routes?
    • 10.31.2.80 255.255.255.240 towards ASA1
    • 10.31.2.32 255.255.255.240 towards ASA3

2) Does ASA2 have only one interface for both tunnels?

  • Do you same-security-traffic permit intra-interface?
  • If IPsec is involved, do the crypto ACLs on ASA2 include
    • 10.31.2.80/28 -> 10.31.2.32/28 towards ASA3
    • 10.31.2.32/28 -> 10.31.2.80/28 towards ASA1

The following command will help you on all three ASAs:

sh route

sh crypto map

sh crypto ipsec sa (look for packet counters on the SAs)

Best regards, MiKa

 

View solution in original post

0 Helpful

Go to solution
m.kafka
Level 4
Level 4
In response to mahesh18

‎08-20-2015 04:48 AM

Exactly,

if a packet has to go out the same interface it came in you need to have same-security-traffic permit intra-interface, otherwise the packet is dropped.

Rgds, MiKa

View solution in original post

0 Helpful
7 Replies 7

Go to solution
m.kafka
Level 4
Level 4

‎08-19-2015 04:54 AM

I don't understand what you mean with Layer2 Tunnel. Is it relevant for this Issue?

Is IPsec involved?

Did you do any basic Layer3 troubleshooting? Verifying routing information?

1) Does the ASA2 have 2 interfaces, one for each tunnel?

  • Does ASA2 have the following routes?
    • 10.31.2.80 255.255.255.240 towards ASA1
    • 10.31.2.32 255.255.255.240 towards ASA3

2) Does ASA2 have only one interface for both tunnels?

  • Do you same-security-traffic permit intra-interface?
  • If IPsec is involved, do the crypto ACLs on ASA2 include
    • 10.31.2.80/28 -> 10.31.2.32/28 towards ASA3
    • 10.31.2.32/28 -> 10.31.2.80/28 towards ASA1

The following command will help you on all three ASAs:

sh route

sh crypto map

sh crypto ipsec sa (look for packet counters on the SAs)

Best regards, MiKa

 

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to m.kafka

‎08-19-2015 07:24 AM

Hi Mika,

 

Yes IPsec is involved.

How can i check and verify if ASA2 have two or single interface for each tunnel?

ASA has subinterfaces.

No this is not checked ---Do you same-security-traffic permit intra-interface

Yes ASA2 have the follwoing routes.

Yes ASA2 include the crypto ACL towards both ASA1 and ASA2.

Regards

Mahesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to m.kafka

‎08-19-2015 08:32 PM

 

Hi Mika,

 

You are best I figure out that ASA was using same interface for both tunnels.

After that I enable the same-security-traffic permit intra-interface.

As soon I did this ping worked fine.

You save my Day.

Really appreciate your help.

 

Need to confirm below

So I am trying to understand this as ping traffic from ASA1 comes to ASA2 on say interface x then

ASA2 checks the routing for destination address in its routing table and find that it has to go via same interface x then ASA2 drops the ping packet right???

 

Regards

 

Mahesh

0 Helpful

Go to solution
m.kafka
Level 4
Level 4
In response to mahesh18

‎08-20-2015 04:48 AM

Exactly,

if a packet has to go out the same interface it came in you need to have same-security-traffic permit intra-interface, otherwise the packet is dropped.

Rgds, MiKa

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to m.kafka

‎08-20-2015 07:27 AM

Many thanks

Mahesh

0 Helpful

Go to solution
nehasingh1
Level 1
Level 1

‎08-19-2015 12:32 PM

You can use VPN for secure your internet connection, unblock internet censorship and hide your IP address.

 

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to nehasingh1

‎08-19-2015 02:08 PM

what are you talking about?

All these tunnels are in our internal network

0 Helpful
Customers Also Viewed These Support Documents