[c-nsp] ICMP "echo reply" packages received over IPsec tunnel don't reach IOS ping utility
Vinny Abello
vinny at abellohome.net
Mon May 20 18:16:18 EDT 2013
On , cnsp at marenda.net wrote:
>> Hi,
>>
>> I have an IPsec tunnel between Cisco 1841 and ZyXEL routers over
>> public
>> Internet. I do not have access to ZyXEL router. According to "show
>> crypto session" IPsec tunnel is up and active. This IPsec tunnel
>> connects 192.168.157.0/24 and 192.168.136.0/24 networks over the
>> Internet. Now if I send an ICMP "echo request" message from Cisco
>> router to ZyXEL router, I will not receive an ICMP "echo reply":
>>
>> r1#ping 192.168.136.2 source 192.168.157.1 repeat 1
>>
>> Type escape sequence to abort.
>> Sending 1, 100-byte ICMP Echos to 192.168.136.2, timeout is 2
>> seconds:
>> Packet sent with a source address of 192.168.157.1 .
>> Success rate is 0 percent (0/1)
>> r1#
>>
>> ..but for some reason "packets in" and "packets out" counters in "sh
>> crypto engine accelerator statistic" output are incremented by two.
>> This should indicate that router received the ICMP "echo reply" and
>> it
>> was processed by onboard VPN module. If I ping an IP address in
>> 192.168.136.0/24 network, which is not configured(for example
>> 192.168.136.123), then "packets in" and "packets out" counters in "sh
>> crypto engine accelerator statistic" are incremented by one. In
>> addition, if I configure an ACL to WAN interface on Cisco router, I
>> can
>> see ingress ESP packets from this particular ZyXEL router. As I said,
>> its on Cisco 1841 router and I'm using onboard hardware VPN module.
>> IOS
>> image is c1841-advsecurityk9-mz.124-24.T6.bin. I checked the open
>> caveats and bugs for this particular IOS, but did not find anything.
>>
>> Any ideas what might cause such behavior? Or am I doing something
>> wrong?
>
> Enable ip flow ingres and ip flow egres on the c1841 to see
> the pakets with s hip cache flow (you need globally ip cef, of
> course),
> esp. src and dst ip addresses.
>
> Perhaps the zyxel NATtes the paket to the remote router,
> Or sends an icmp admin. Prohibited back thru the vpn tunnel ?
Something else to try as well: Create an access-list to define the
traffic patterns you are looking to validate. Then use debug ip packet
referencing that access-list to watch the packets in real time. If you
make the access-list broad enough to capture all ICMP types for the
source/destination, you could validate what you're receiving back in
response to the ICMP echo request.
> BTW, you could not ping a PIX'es LAN Interface thru vpn-tunnel,
> While it works fine between two cisco routers.
You can if you use the "management-access <ifname>" command. This is
very handy for monitoring purposes. This also allows management of the
device through a VPN tunnel if permitted. In addition, this allows you
to source a packet from that firewall interface to trigger a tunnel to
come up if it's part of the encryption domain. I've even seen it used
creatively to bring dynamic tunnels up by configuring an NTP server
across a tunnel. :) Not that any of this has anything to do with the
ZyXEL of course...
-Vinny
More information about the cisco-nsp
mailing list