Cannot ping through VPN tunnel
Asif_Iqbal
Newbie ✭
Hello All,
I have created a S2S VPN using a PSK. Suppress Automatic VPN action rules is disabled.
The other party has access to the resources the VPN was created for. However, neither I or the other party can ping any of the resources through the VPN. I cannot even ping the default router on the other side which I have been told I should be able to do.
The VPN is setup as a network. I have created other VPN's and can successfully ping the various router and WAN IP's.
Any thoughts or pointers on this please?
Many thanks,
Category: Mid Range Firewalls
0
Answers
Packet capture. Do the ping packets arrive at the other side?
@Arkwright thanks for your reply. I have the below.
The packet capture does not see any traffic/packets for this - please see below.
I have setup packet tracer as above to try and see the packets.
Thanks,
IME pinging from the firewall itself is not always reliable. I suggest you start a continuous ping from a client device and look out for that in the capture.
You can also check the Connection Monitor for a flow for the same,
@Arkwright yes I have a continuous ping running from my pc too which isn't showing anything in packet tracer either.
There is nothing showing in connection monitor for the WAN or the router IP on the other side.
Thanks,
ICMP is it's own IP Type, it will not be matched by TCP or UDP.
@Arkwright many thanks, I can now see the packets are being forwarded - please see below.
@Arkwright I take it this means the ping request is leaving my side and is not reaching the destination or the destination is not responding?
Yes.
If you enable further advanced options in the capture I think you will be able to see the post-encrypted packets.
@Arkwright which of the options below is this please?
Thanks,
Hi @Asif_Iqbal ,
Enable all those options. After this we should see more details as @Arkwright mentioned.
@TonyA Thanks for this. I've run this but I am not seeing anything different. Only the forwarded packets.
Thanks,
Hi @Asif_Iqbal , you should be able to see more information but it might be the way you have confirmed the Packet monitor. Please use the following template as you should get a betterview/result:
Monitor filter tab:
Ether: IP
IP Type: ICMP
Destination: The destination ip you are trying to ping
Enable - Enable Bidirectional Address and Port Matching
All other check boxes, leave unticked
Display filter:
Leave fields blank and check all checkboxes at the bottom
Advanced monitor filter:
Check all boxes except - Restore original ports on SSL decrypted traffic.
@TonyA Thanks for the update. I have done as suggested and still only see the forwarded packets and no other information. The ping is stating Request timed out please see below. I'll contact the third party to check whether they have ping enabled/disabled for this network although I was told the IP I was given was pingable.
Thanks,
You need to get them to do the same as you - do they see your packets in a packet capture at their end?
Do the byte counters increment on the SA when you're pinging?
@Arkwright - thanks for the update, I 'll ask the third party to check their side too. The only size I can see increasing is the ICMP Checksum as below.
09:19
09:20
Thanks,
SA counters are on Active Tunnels tab, then you have to click on the rectangle-with-horizontal-lines icon to get the stats. This is only any use as a diagnostic if there is no other on the tunnel than the traffic you're interested in, which can be tricky to achieve!
I just noticed the NAT column is valued in your packet capture. Are you intentionally NATing across this tunnel?
@Arkwright Ah yes sorry I was misunderstood. Yes I have packet in an d out but not increasing when running a ping.
Thanks,
If you are pinging continuously something across a tunnel and the Out counters are not incrementing, then the problem is at your end.
@Arkwright ah Ok I am wondering could it be the way I have setup the VPN? I have this as LAN to VPN for outgoing and VPN to LAN for incoming. As I have said, the third party has access to all they need to monitor what they need to monitor and this is working for them.
Thanks,
NAT is not default for site-site VPN, so this will be down to the configuration.