cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dlazure
New Contributor III

can't ping the other gateway connected via VPN

Hi

I have 2 Adtran Netvanta 3448 connected via VPN over internet.

3448 A : 192.168.123.254/24

3448 B : 192.168.124.254/24

3448A-192.168.123.254 can ping 3448B-192.168.124.254

3448B-192.168.124.254 cannot ping 3448A-192.168.123.254

this make no sens to me.

I have 4 IP phones at the remote site ( B ) and they are working fine.

I need the ping to work for testing purposes.

I attached a config of both configuration.

thanks

Labels (4)
Tags (3)
0 Kudos
5 Replies
jayh
Honored Contributor
Honored Contributor

Re: can't ping the other gateway connected via VPN

Is there at least one host on 3448A connected to a switchport? What does "sho int vlan 1" tell you on both devices?  Up/up?

Also...

1. Change your passwords.

2. Configure "service password-encryption"

3. Consider an ACL on both ssh and http to limit access to your own network.

4. Consider shutting down telnet and http (not https).

dlazure
New Contributor III

Re: can't ping the other gateway connected via VPN

Yes.

Le Jan 28, 2015 à 7:30 PM, jayh <adtran@adtran.hosted.jivesoftware.com> a écrit :

ADTRAN Support Community

can't ping the other gateway connected via VPN

reply from jayh in NetVanta 3400 Series - View the full discussion

Is there at least one host on 3448A connected to a switchport? What does "sho int vlan 1" tell you on both devices? Up/up?

Reply to this message by replying to this email, or go to the message on ADTRAN Support Community

Start a new discussion in NetVanta 3400 Series by email or at ADTRAN Support Community

Following can't ping the other gateway connected via VPN in these streams: Email Watches

dlazure
New Contributor III

Re: can't ping the other gateway connected via VPN

any ideas?

Anonymous
Not applicable

Re: can't ping the other gateway connected via VPN

dlazure‌:

There are multiple reasons you may be experiencing this issue.  First, change the policy-classes so the VPN selectors are allowed statelessly through the firewall.  Can you do source pings between the LANs on both sides?  If you do a debug ip icmp on the device that isn't replying, do you see matches?

Levi

Re: can't ping the other gateway connected via VPN

Hi dlazure,

Looking at your 3448B configuration, I don't think you need:

ip access-list extended Allow_IPSEC_IN

  permit ip host 69.70.12.174  any  

Incoming VPN connections will still be established via port 500 UDP as long as VPN is enabled.  You may still need this ACL for other services, in which case you can leave it as is, or set up more specific ACLs to select relevant protocols and, or ports.

Under your 'Private' APC you can set stateless processing for VPN traffic:

!

ip policy-class Private

  allow list VPN-10-vpn-selectors1 stateless

  allow list self self

  nat source list wizard-ics interface eth 0/1 overload

!

and under the 'Public' APC you can similarly set:

  allow reverse list VPN-10-vpn-selectors stateless

!

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors1 stateless

  allow reverse list VPN-10-vpn-selectors1  <==This seems to be a duplicate entry, which you should remove

  allow list web-acl-3 self

  allow list Allow_IPSEC_IN self  <==This is not needed

  allow list web-acl-4 self

!

Then try pinging from 3448B a host which is known to return ICMP packets within the LAN of 3448A, and see if you are getting responses.  Then as Levi suggested, switch on debug for ICMP temporarily while you are pinging 3448A, if it still does not return pings.

Hope this helps.

--

Regards,

Mick