[c-nsp] ICMP "echo reply" packages received over IPsec tunnel don't reach IOS ping utility
cnsp at marenda.net
cnsp at marenda.net
Mon May 20 14:31:15 EDT 2013
> Hi,
>
> I have an IPsec tunnel between Cisco 1841 and ZyXEL routers over public
> Internet. I do not have access to ZyXEL router. According to "show
> crypto session" IPsec tunnel is up and active. This IPsec tunnel
> connects 192.168.157.0/24 and 192.168.136.0/24 networks over the
> Internet. Now if I send an ICMP "echo request" message from Cisco
> router to ZyXEL router, I will not receive an ICMP "echo reply":
>
> r1#ping 192.168.136.2 source 192.168.157.1 repeat 1
>
> Type escape sequence to abort.
> Sending 1, 100-byte ICMP Echos to 192.168.136.2, timeout is 2 seconds:
> Packet sent with a source address of 192.168.157.1 .
> Success rate is 0 percent (0/1)
> r1#
>
> ..but for some reason "packets in" and "packets out" counters in "sh
> crypto engine accelerator statistic" output are incremented by two.
> This should indicate that router received the ICMP "echo reply" and it
> was processed by onboard VPN module. If I ping an IP address in
> 192.168.136.0/24 network, which is not configured(for example
> 192.168.136.123), then "packets in" and "packets out" counters in "sh
> crypto engine accelerator statistic" are incremented by one. In
> addition, if I configure an ACL to WAN interface on Cisco router, I can
> see ingress ESP packets from this particular ZyXEL router. As I said,
> its on Cisco 1841 router and I'm using onboard hardware VPN module. IOS
> image is c1841-advsecurityk9-mz.124-24.T6.bin. I checked the open
> caveats and bugs for this particular IOS, but did not find anything.
>
> Any ideas what might cause such behavior? Or am I doing something
> wrong?
Enable ip flow ingres and ip flow egres on the c1841 to see
the pakets with s hip cache flow (you need globally ip cef, of course),
esp. src and dst ip addresses.
Perhaps the zyxel NATtes the paket to the remote router,
Or sends an icmp admin. Prohibited back thru the vpn tunnel ?
BTW, you could not ping a PIX'es LAN Interface thru vpn-tunnel,
While it works fine between two cisco routers.
You know: real Routers , not "firewalls".
More information about the cisco-nsp
mailing list