Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
898
Views
0
Helpful
4
Replies

Unable to Ping through Site to Site VPN

Go to solution
nohara
Level 1
Level 1

‎10-03-2017 12:15 PM - edited ‎03-12-2019 04:35 AM

Hello,

I have a site to site vpn that has been setup about a few months ago. I just realized that the layer 3 switch connected to the ASA 5505 (Site A) is unable to ping a VLAN (229) that resides at Site B. I have two other switches that are trunked to this particular layer 3 switch and these two switch are able to ping VLAN 229 just fine. I don't understand why these two switch are able to ping 192.168.229.1 and the layer 3 switch is unable. When I do a traceroute from the layer 3 switch it takes me out to the internet and not through the VPN. Also when I'm at Site A and plug my laptop to a switchport that is in VLAN 234 I can ping VLAN 229 just fine and when I am at Site B I am able to ping VLAN 234 just fine. So I figure it has something to do with the ASA since my traceroute tells me that it's not going through the VPN.

 

Site A
Cisco ASA Inside Interface = 10.0.0.1/30
Switch 1 (Layer 3)
Interface to ASA = 10.0.0.2/30
VLAN 234 = 192.168.234.1/24
ip route 0.0.0.0 0.0.0.0 10.0.0.1

 

Site B
Switch 1 (Layer 3)
VLAN 229 = 192.168.229.1/24

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Meheretab Mengistu
Level 7
Level 7
In response to nohara

‎10-03-2017 12:35 PM

The switch knows how to reach VLAN 229; that is the reason you are able to PING it. However, when you run PING on a router, it uses the outside interface by default.
For the switch to reach to Radius server, source it with different interface (like int vlan 234). Here is the command:
ip radius source-interface vlan234

HTH,
Meheretab
HTH,
Meheretab

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Meheretab Mengistu
Level 7
Level 7

‎10-03-2017 12:24 PM

Hi,

It seems to me that the Layer 3 switch, which is directly connected to the ASA, is using its outside interface when you run ping. Please try to ping using different interface.
Example:-
ping 192.168.229.1 source vlan234

HTH,
Meheretab
HTH,
Meheretab
0 Helpful

Go to solution
nohara
Level 1
Level 1
In response to Meheretab Mengistu

‎10-03-2017 12:29 PM

Ok, that worked using an extended ping. However, my radius server resides on VLAN 229 (192.168.229.95) and that layer 3 switch does not know how to reach 229.95. Could it be a routing issue with the layer 3 switch?

0 Helpful

Go to solution
Meheretab Mengistu
Level 7
Level 7
In response to nohara

‎10-03-2017 12:35 PM

The switch knows how to reach VLAN 229; that is the reason you are able to PING it. However, when you run PING on a router, it uses the outside interface by default.
For the switch to reach to Radius server, source it with different interface (like int vlan 234). Here is the command:
ip radius source-interface vlan234

HTH,
Meheretab
HTH,
Meheretab
0 Helpful

Go to solution
nohara
Level 1
Level 1
In response to Meheretab Mengistu

‎10-03-2017 12:39 PM

You sir, are the man! Thanks!

0 Helpful
Customers Also Viewed These Support Documents