[c-nsp] Pix to Pix IPSEC
Higham, Josh
jhigham at epri.com
Tue Jun 6 10:47:51 EDT 2006
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Laurent Geyer
>
> On 6/5/06, Voll, Scott <Scott.Voll at wesd.org> wrote:
> >
> > I've setup a Pix to Pix - LAN to LAN IPSec tunnel between
> two sites.
> > I know the tunnel is up and I can Telnet to devices on the
> remote site
> > but ICMP traffic is not going through. I can see ICMP
> traffic hitting
> > the ACL but I'm not getting any replies. What could be the
> cause of this?
>
>
> Could be caused by using layer 4 operators on the
> match-address access-lists that define interesting VPN tunnel
> traffic. The access-list should be layer
> 3 only.
Do you have any references on this? I've been using layer 4 selectors
for quite awhile (there is a warning about performance impacts, but it
is permitted). There was even a bug in version 7.0.[1-3] that caused it
to fail, but was fixed by Cisco.
In any case, he can telnet so the IKE session is established and at
least some TCP traffic is passing. At this point the problem is most
likely to be an ACL.
Verify that ICMP not blocked on any interface, that it is not NATed
(assuming you aren't using NAT over the tunnel), and that your
interesting traffic ACL includes ICMP traffic.
Do a packet capture at the remote end and see if you see the ICMP
packet, and look at the ACL on the remote end and see if you get
counters for the echo-reply.
Thanks,
Josh
More information about the cisco-nsp
mailing list