5 Replies Latest reply on Apr 2, 2015 11:53 AM by mick

    can't ping the other gateway connected via VPN

    dlazure New Member

      Hi

       

      I have 2 Adtran Netvanta 3448 connected via VPN over internet.

       

      3448 A : 192.168.123.254/24

      3448 B : 192.168.124.254/24

       

      3448A-192.168.123.254 can ping 3448B-192.168.124.254

      3448B-192.168.124.254 cannot ping 3448A-192.168.123.254

       

      this make no sens to me.

      I have 4 IP phones at the remote site ( B ) and they are working fine.

      I need the ping to work for testing purposes.

       

      I attached a config of both configuration.

       

      thanks

        • Re: can't ping the other gateway connected via VPN
          jayh Hall_of_Fame

          Is there at least one host on 3448A connected to a switchport? What does "sho int vlan 1" tell you on both devices?  Up/up?

           

          Also...

           

          1. Change your passwords.

          2. Configure "service password-encryption"

          3. Consider an ACL on both ssh and http to limit access to your own network.

          4. Consider shutting down telnet and http (not https).

            • Re: can't ping the other gateway connected via VPN
              dlazure New Member

              Yes.

               

               

               

               

               

              Le Jan 28, 2015 à 7:30 PM, jayh <adtran@adtran.hosted.jivesoftware.com> a écrit :

               

               

              ADTRAN Support Community

              can't ping the other gateway connected via VPN

              reply from jayh in NetVanta 3400 Series - View the full discussion

               

              Is there at least one host on 3448A connected to a switchport? What does "sho int vlan 1" tell you on both devices?  Up/up?

               

              Reply to this message by replying to this email, or go to the message on ADTRAN Support Community

              Start a new discussion in NetVanta 3400 Series by email or at ADTRAN Support Community

              Following can't ping the other gateway connected via VPN in these streams: Email Watches

               

                • Re: can't ping the other gateway connected via VPN
                  mick Visitor

                  Hi dlazure,

                   

                  Looking at your 3448B configuration, I don't think you need:

                   

                  ip access-list extended Allow_IPSEC_IN

                    permit ip host 69.70.12.174  any  

                   

                  Incoming VPN connections will still be established via port 500 UDP as long as VPN is enabled.  You may still need this ACL for other services, in which case you can leave it as is, or set up more specific ACLs to select relevant protocols and, or ports.

                   

                  Under your 'Private' APC you can set stateless processing for VPN traffic:

                  !

                  ip policy-class Private

                    allow list VPN-10-vpn-selectors1 stateless

                    allow list self self

                    nat source list wizard-ics interface eth 0/1 overload

                  !

                   

                  and under the 'Public' APC you can similarly set:

                   

                    allow reverse list VPN-10-vpn-selectors stateless

                  !

                  ip policy-class Public

                    allow reverse list VPN-10-vpn-selectors1 stateless

                    allow reverse list VPN-10-vpn-selectors1  <==This seems to be a duplicate entry, which you should remove

                    allow list web-acl-3 self

                    allow list Allow_IPSEC_IN self  <==This is not needed

                    allow list web-acl-4 self

                  !

                   

                  Then try pinging from 3448B a host which is known to return ICMP packets within the LAN of 3448A, and see if you are getting responses.  Then as Levi suggested, switch on debug for ICMP temporarily while you are pinging 3448A, if it still does not return pings.

                   

                  Hope this helps.

                  --

                  Regards,

                  Mick

              • Re: can't ping the other gateway connected via VPN
                levi Employee

                dlazure:

                 

                There are multiple reasons you may be experiencing this issue.  First, change the policy-classes so the VPN selectors are allowed statelessly through the firewall.  Can you do source pings between the LANs on both sides?  If you do a debug ip icmp on the device that isn't replying, do you see matches?

                 

                Levi