[c-nsp] ICMP "echo reply" packages received over IPsec tunnel don't reach IOS ping utility
Martin T
m4rtntns at gmail.com
Mon May 20 13:46:28 EDT 2013
Hi,
I have an IPsec tunnel between Cisco 1841 and ZyXEL routers over
public Internet. I do not have access to ZyXEL router. According to
"show crypto session" IPsec tunnel is up and active. This IPsec tunnel
connects 192.168.157.0/24 and 192.168.136.0/24 networks over the
Internet. Now if I send an ICMP "echo request" message from Cisco
router to ZyXEL router, I will not receive an ICMP "echo reply":
r1#ping 192.168.136.2 source 192.168.157.1 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 192.168.136.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.157.1
.
Success rate is 0 percent (0/1)
r1#
..but for some reason "packets in" and "packets out" counters in "sh
crypto engine accelerator statistic" output are incremented by two.
This should indicate that router received the ICMP "echo reply" and it
was processed by onboard VPN module. If I ping an IP address in
192.168.136.0/24 network, which is not configured(for example
192.168.136.123), then "packets in" and "packets out" counters in "sh
crypto engine accelerator statistic" are incremented by one. In
addition, if I configure an ACL to WAN interface on Cisco router, I
can see ingress ESP packets from this particular ZyXEL router. As I
said, its on Cisco 1841 router and I'm using onboard hardware VPN
module. IOS image is c1841-advsecurityk9-mz.124-24.T6.bin. I checked
the open caveats and bugs for this particular IOS, but did not find
anything.
Any ideas what might cause such behavior? Or am I doing something wrong?
regards,
Martin
More information about the cisco-nsp
mailing list