02-25-2013 02:02 AM
Hi guys,
I've configured a site to site VPN between two routers, everything is working fine except pinging the internal (LAN) IP of one router.
Everything else is working fine: pinging the hosts through the tunnel in both directions.
The routers I'm using:
- 1841 IOS: 15.0(1)M3
- 2811 IOS: 15.0(1)M5 -> here is the problem. I can't ping the inside interface of this router.
I checked the ipsec sa counters and it seems that it doesn't send the packets back through the tunnel when I'm ping the LAN interface.
#pkts encaps isn't incrementing.
Has anyone had this issue before?
Thanks a lot.
Best regards
Solved! Go to Solution.
02-26-2013 02:49 AM
even if I got this error:
%CRYPTO-6-IKMP_MODE_FAILURE: Processing of Main mode failed with peer at WAN_IP_Router_A
sh crypto isakmp sa shows the connection ACTIVE..as it should.
02-26-2013 03:00 AM
Try to modify that ACE in your crypto ACL, and put the exact /32 address of your backup-server instead of the whole subnet.
I.e.
permit ip host WAN_IP host BACKUP
02-26-2013 03:17 AM
I'll try that and let you know.
Thanks.
02-26-2013 04:34 AM
Hi Andrew,
still same issue. cannot reach LAN_IP of Router B.
with the more specific ACL entries is better because the hosts can now reach each other over VPN. but it seems it cannot send the icmp replies over the tunnel..even if the WAN_IP is forced over the VPN.
on Router B still no SAs only #send errors:
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 44, #recv errors 0
local crypto endpt.: WAN_B, remote crypto endpt.: WAN_A
path mtu 1500, ip mtu 1500, ip mtu idb Vlan100
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Thanks.
02-26-2013 05:15 AM
Hi Andrew,
I think the problem is on the SA.
The Traffic comes from one SA (Backup_Server_IP .2.50 -> RouterB_IP 1.1) and now it must return over another SA (RouterB_WAN_IP -> Backup_Server_IP) and here it breaks.
What do you think?
02-26-2013 05:27 AM
Maybe yes, but i don't think that it should cause problems like this.
Listen, you're gonna do backup through that interface. For that, i assume, you'll use ssh or tenlet. Right?
Did you try to ssh/telnet to the routers inside interface (without adding that ACE), or if u did, did you try to add ip ssh/telnet source-interface command?
02-26-2013 05:38 AM
yes I've tried all. still same issue.
I tried also with tftp source-int, did a copy run tftp, it creats the file but doesn't write anything in it. it's empty.
I haven't found any bugs for this IOS (15.0.1M5)..
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide