Re: VPN route-based unable to ping remote IP - Page 2

John Bautista · ‎04-23-2024

Hi, I am currently encountering issue on route-based ipsec vpn. I cannot ping my remote IP also the remote tunnel. I have verified that there is no decap showing on packets. I already configured static route between each site and still unsucessful of connectivity.

Crypto map tag: __vti-crypto-map-9-0-10, seq num: 65280, local addr: xxx.xxx.xxx.xxx

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: xxx.xxx.xxx.xxx

#pkts encaps: 1183, #pkts encrypt: 1183, #pkts digest: 1183
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1183, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: xxx.xxx.xxx.xxx/0, remote crypto endpt.: xxx.xxx.xxx.xxx/0
path mtu 1492, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: E2D1DD20
current inbound spi : 069A90C5

But when I do packet tracer. It is showing allowed on the lan side.

packet-tracer input lan icmp 192.168.0.131 8 0 192.100.12.1

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.2 using egress ifc Site_B

Phase: 2
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: FLOW-EXPORT
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: DEBUG-ICMP
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 340117277, packet dispatched to next module

Result:
input-interface: lan
input-status: up
input-line-status: up
output-interface: Site_B
output-status: up
output-line-status: up
Action: allow

John Bautista · ‎04-26-2024

Hi @tvotna , I actually ran the packet tracer and its showing Drop. Does that mean the ISP is blocking ESP? If in case then I will contact my ISP to verify this issue.

SITE_A# packet-tracer input outside icmp 192.168.0.13 8 0 192.100.12.1 decrypted

*********************************************************************
WARNING: An existing decryption SA was not found. Please confirm the
IPsec Phase 2 SA or Anyconnect Tunnel is established.
*********************************************************************

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.2 using egress ifc Site_B

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: Site_B
output-status: up
output-line-status: up
Action: drop
Drop-reason: (vpn-context-expired) Expired VPN context

Rob Ingram · ‎04-26-2024

Hi @John Bautista as both myself and @tvotna said to check if ESP is dropped, by taking a packet capture on both sides to confirm if ESP packets are sent and received.

sebt11tools · ‎04-24-2024

Can share tunnel config

MHM Cisco World · ‎04-26-2024

any update ?

MHM