?
Solved

Cannot ping remote host through vpn tunnel.

Posted on 2009-02-20
14
Medium Priority
?
649 Views
Last Modified: 2012-08-14
Hi all,

for some reason i cannot ping any machines on the other side of my vpn tunnel.

I see phase 1 and 2  completed in the logs, but  its impossible tp ping..

So the vpn tunnel is up, but its impossible to ping.

I also do not see any packets going out encapsulated or encrypted:

 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 135, #pkts decrypt: 135, #pkts verify 135
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0


ProcessiaL2L(config)# show run
: Saved
:
PIX Version 6.3(5)
interface ethernet0 10full
interface ethernet1 10full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password Xth3UATCgaaO0eNg encrypted
passwd Xth3UATCgaaO0eNg encrypted
hostname  
domain-name  
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
no names
  
access-list inside_outbound_nat0_acl permit ip 192.168.15.0 255.255.255.0 138.21.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 192.168.10.0 255.255.255.0 138.21.0.0 255.255.0.0
access-list outside_cryptomap_140 permit ip 192.168.15.0 255.255.255.0 138.21.0.0 255.255.0.0
pager lines 24
logging on
logging standby
logging console notifications
logging buffered warnings
logging trap debugging
logging host inside 192.168.10.68 format emblem
logging host inside 192.168.10.62
mtu outside 1500
mtu inside 1500
ip address outside 206.162.157.4 255.255.255.248
ip address inside 192.168.15.2 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 138.21.0.0 255.255.0.0 outside
pdm location 192.168.10.0 255.255.255.0 inside
pdm location 192.168.10.66 255.255.255.255 inside
pdm location 192.168.10.68 255.255.255.255 inside
pdm location 192.168.10.62 255.255.255.255 inside
pdm location 138.21.0.0 255.255.255.248 outside
pdm logging informational 512
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
rip inside passive version 2
route outside 0.0.0.0 0.0.0.0 206.162.157.1 1
route outside 138.21.0.0 255.255.255.248 206.162.157.4 1
route inside 192.168.10.0 255.255.255.0 192.168.15.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.15.0 255.255.255.0 inside
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.10.62 PIX
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-l2tp
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 140 ipsec-isakmp
crypto map outside_map 140 match address outside_cryptomap_140
crypto map outside_map 140 set peer XXX.XXX.XXX.XXX
crypto map outside_map 140 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address XXX.XXX.XXX.XXX netmask 255.255.255.255 no-xauth no-config-mode
isakmp nat-traversal 20
isakmp policy 120 authentication pre-share
isakmp policy 120 encryption 3des
isakmp policy 120 hash sha
isakmp policy 120 group 2
isakmp policy 120 lifetime 86400
telnet 192.168.15.0 255.255.255.0 inside
telnet 192.168.10.0 255.255.255.0 inside
telnet timeout 25
ssh timeout 5
console timeout 0
dhcpd address 192.168.15.3-192.168.15.254 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
username admin password tfmO/f0ZXm8//aJD encrypted privilege 15
terminal width 80
banner motd Welcome to Processia
Cryptochecksum:60230fa599cb1cafbf2b4d61d5db8a2a
: end
ProcessiaL2L(config)#

Open in new window

0
Comment
Question by:maxalarie
  • 7
  • 7
14 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23695861
What IP are you trying to ping and from what IP?
0
 
LVL 2

Author Comment

by:maxalarie
ID: 23695929
trying to ping 138.21.99.254  from  the pix 192.168.15.2
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23695946
When trying from the PIX, you need to do the following:

ping inside 138.21.99.254
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 2

Author Comment

by:maxalarie
ID: 23695961
yeah, i did that.  but its not working either.  I cannot ping and the other side cannot ping me. But the ike and ipsec tunnel is up.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23695972
Can you post a "show cry isa sa" and "show cry ipsec sa"
0
 
LVL 2

Author Comment

by:maxalarie
ID: 23695977
I have this error in the log:
02-20-2009      15:43:08      Local4.Info      192.168.15.2      %PIX-6-110001: No route to 138.21.99.254 from 192.168.15.2

Here are my routes:
 outside 0.0.0.0 0.0.0.0 206.162.157.1 1 OTHER static
 outside 138.21.0.0 255.255.0.0 206.162.157.4 1 OTHER static
 inside 192.168.10.0 255.255.255.0 192.168.15.1 1 OTHER static
 inside 192.168.15.0 255.255.255.0 192.168.15.2 1 CONNECT static
 outside 206.162.157.0 255.255.255.248 206.162.157.4 1 CONNECT static

Open in new window

0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23695984
Do this:

conf t
no route outside 138.21.0.0 255.255.255.248 206.162.157.4 1
route outside 138.21.0.0 255.255.0.0 206.162.157.1
0
 
LVL 2

Author Comment

by:maxalarie
ID: 23695994
sure here it is:


(config)# show cry isa sa
Total     : 1
Embryonic : 0
        dst               src        state     pending     created
   206.162.157.4    166.63.199.53    QM_IDLE         0           1
 
 
 
show cry ipsec sa
 
 
interface: outside
    Crypto map tag: outside_map, local addr. 206.162.157.4
 
   local  ident (addr/mask/prot/port): (192.168.15.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (138.21.0.0/255.255.0.0/0/0)
   current_peer: 166.63.199.53:4500
     PERMIT, flags={origin_is_acl,transport_parent,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 319, #pkts decrypt: 319, #pkts verify 319
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
 
     local crypto endpt.: 206.162.157.4, remote crypto endpt.: 166.63.199.53
     path mtu 1500, ipsec overhead 64, media mtu 1500
     current outbound spi: dac8dd4c
 
     inbound esp sas:
      spi: 0xd3e2220(222175776)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 1, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4607974/1765)
        IV size: 8 bytes
        replay detection support: Y
 
 
     inbound ah sas:
 
 
     inbound pcp sas:
 
 
     outbound esp sas:
      spi: 0xdac8dd4c(3670596940)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        slot: 0, conn id: 2, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4608000/1765)
        IV size: 8 bytes
        replay detection support: Y
 
 
     outbound ah sas:
 
 
     outbound pcp sas:

Open in new window

0
 
LVL 2

Author Comment

by:maxalarie
ID: 23696051
The conf t
no route outside 138.21.0.0 255.255.255.248 206.162.157.4 1
route outside 138.21.0.0 255.255.0.0 206.162.157.1

does not seem to have any effect.
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23696078
Try this also:

conf t
no isakmp nat-traversal 20

If it still doesn't work, do a "clear cry isa" and try again.  If it still doesn't work, do a "wr mem" and a "reload" to reboot the PIX and try again.
0
 
LVL 2

Author Comment

by:maxalarie
ID: 23696210
it does not work either...

ProcessiaL2L(config)# no isakmp nat-traversal 20
ProcessiaL2L(config)# ping 138.21.99.254
        138.21.99.254 NO response received -- 1000ms
        138.21.99.254 NO response received -- 1000ms
        138.21.99.254 NO response received -- 1000ms
ProcessiaL2L(config)# clear cry isa
ProcessiaL2L(config)# ping 138.21.99.254
        138.21.99.254 NO response received -- 1000ms
        138.21.99.254 NO response received -- 1000ms
        138.21.99.254 NO response received -- 1000ms
ProcessiaL2L(config)#
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 23696607
Well, like I first said, you need to use the "inside" keyword in the ping:

ping inside 138.21.99.254
        ^^^^^
0
 
LVL 2

Author Comment

by:maxalarie
ID: 23710500
Yeah, i tried it many times. and it did not work either.  :(
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 2000 total points
ID: 23711047
Can you try from a PC on the 192.168.15.x subnet?
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question