Solved: VPN Site to Site - Cannot ping internal IP of the router

Cristian Iconaru · ‎02-25-2013

Hi guys,

I've configured a site to site VPN between two routers, everything is working fine except pinging the internal (LAN) IP of one router.

Everything else is working fine: pinging the hosts through the tunnel in both directions.

The routers I'm using:

- 1841 IOS: 15.0(1)M3

- 2811 IOS: 15.0(1)M5 -> here is the problem. I can't ping the inside interface of this router.

I checked the ipsec sa counters and it seems that it doesn't send the packets back through the tunnel when I'm ping the LAN interface.

#pkts encaps isn't incrementing.

Has anyone had this issue before?

Thanks a lot.

Best regards

Andrew Phirsov · ‎02-25-2013

I think that happens because when router responds to icmp request it puts it's outside interface IP (not IP of inside interface, wich you're trying to ping) as a source of a packet. So icmp-responce doesn't go to the tunnel, 'cause router's outside interface IP address doesn't included in the crypto-acl.

Solution to this, if it's correct guess, is to add router's outside IP to the crypto-acl.

View solution in original post

Cristian Iconaru · ‎02-25-2013

has anybody had this problem before?

Thanks.

Andrew Phirsov · ‎02-25-2013

I think that happens because when router responds to icmp request it puts it's outside interface IP (not IP of inside interface, wich you're trying to ping) as a source of a packet. So icmp-responce doesn't go to the tunnel, 'cause router's outside interface IP address doesn't included in the crypto-acl.

Solution to this, if it's correct guess, is to add router's outside IP to the crypto-acl.

Cristian Iconaru · ‎02-25-2013

that did it.

thanks!

Cristian Iconaru · ‎02-25-2013

Hi Andrew,

thanks for the reply.

It worked for a second but now it doesn't anymore.

#send errors is incrementing when I ping the LAN interface.

here is the crypto ACL

Router A

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 host WAN_IP

Router B -> here I got #send errors when I ping it form the other side.

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip host WAN_IP 192.168.2.0 0.0.0.255

I also got on Router B:

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at WAN_IP_Router_A

any ideas?

Thanks.

Andrew Phirsov · ‎02-25-2013

Try clearing all crypto isakmp/ipsec SAs and reestablish the tunnel.

Cristian Iconaru · ‎02-26-2013

still the same. no SAs are created. I realized that the hosts aren't pingable anymore.

if I remove the entry from the crypto ACL everything is working fine.

from Router B:

#send errors 26, #recv errors 0

local crypto endpt.: WAN_ROUTER_B, remote crypto endpt.: WAN_ROUTER_A

path mtu 1500, ip mtu 1500, ip mtu idb Vlan100

current outbound spi: 0x0(0)

PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Thanks.

jawad-mukhtar · ‎02-26-2013

From where you are pinging inside interface of router. From Router A or form any host.

Jawad

Cristian Iconaru · ‎02-26-2013

from both.

jawad-mukhtar · ‎02-26-2013

If u are pinging form Router then you will have to ping using your source interface command.

If you are on host Check GW of Host is Router Inside Interface IP.

Do Rate Helpful posts

Jawad

Cristian Iconaru · ‎02-26-2013

yes I do an extended ping.

yes the gw is ok.

Thanks.

jawad-mukhtar · ‎02-26-2013

Post Config

Jawad

jawad-mukhtar · ‎02-26-2013

of both Routers

Jawad

Andrew Phirsov · ‎02-26-2013

Cristian, i don't know why, but if you say that no SA is established, it seems like after you add that string to the crypto-acl's, routers can't agree on that new crypto-acl's and don't establish SAs. Try to debug isakmp/ipsec and see why this is happening.

And, btw, why do you need to be able to ping that inside interface from the subned behind site A gateway?

Cristian Iconaru · ‎02-26-2013

Hi Andrew,

the isakmp is ok, the ipsec goes somewhere wrong.

I got this:

%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at WAN_IP_Router_A

what is even stranger, is that the traffic between the 2 sites doesn't go through the tunnel anymore when I add the ACL entries.

I'd like to backup the config with cat tools over VPN. For this I need access to the LAN interface.

Thanks.