Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 12157 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN - ping from local network to remote site request timed out

Amr Ahmed

I  have established IPSec Connection over internet and i try to ping remote host from my side ( branch ) 

ping request time out 

i have 2 rule from local to VPN 

and From VPN to local 

but i still unable to Ping remote network  



This thread was automatically locked due to age.
Parents
  • 0

    Amr,

    use tcpdump "icmp" while you try to ping the remote network and post the result.

    Regards

  • 0 in reply to lferrara

    console> tcpdump 'host 10.201.0.11 and proto ICMP
    tcpdump: Starting Packet Dump
    09:38:33.565329 Port1, IN: IP 192.168.1.43 > 10.201.0.11: ICMP echo request, id 1, seq 6920, length 40
    09:38:38.564948 Port1, IN: IP 192.168.1.43 > 10.201.0.11: ICMP echo request, id 1, seq 6921, length 40
    09:38:43.564193 Port1, IN: IP 192.168.1.43 > 10.201.0.11: ICMP echo request, id 1, seq 6922, length 40
    09:38:48.565124 Port1, IN: IP 192.168.1.43 > 10.201.0.11: ICMP echo request, id 1, seq 6923, length 40
    09:38:53.562339 Port1, IN: IP 192.168.1.43 > 10.201.0.11: ICMP echo request, id 1, seq 6924, length 40
    09:38:58.564700 Port1, IN: IP 192.168.1.43 > 10.201.0.11: ICMP echo request, id 1, seq 6925, length 40
    09:39:03.564356 Port1, IN: IP 192.168.1.43 > 10.201.0.11: ICMP echo request, id 1, seq 6926, length 40
    09:39:08.563259 Port1, IN: IP 192.168.1.43 > 10.201.0.11: ICMP echo request, id 1, seq 6927, length 40
    09:39:13.565121 Port1, IN: IP 192.168.1.43 > 10.201.0.11: ICMP echo request, id 1, seq 6928, length 40
    ^C
    9 packets captured
    12 packets received by filter
    0 packets dropped by kernel

    192.168.1.43 local network

    10.201.0.11 remote server 

  • 0 in reply to Amr Ahmed

    Thanks Arm.

    Use traceroute to understand where the traffic is going. I guess you have asymmetric routing issue.

  • 0 in reply to lferrara

    do i need to add static route for local network and remote network 

    and how i traceroute from local network to remote on sophos

    tracert 10.201.0.11

    Tracing route to 10.201.0.11 over a maximum of 30 hops

    1 <1 ms <1 ms <1 ms 192.168.1.1
    2 * * * Request timed out.
    3 65 ms 66 ms 65 ms 10.201.0.11

    Trace complete.

    Port1
    ipsec0
    IPv4
    192.168.1.43
    10.201.0.11
    ICMP
    --
    2
    Forwarded
    		  
    No Policy
    No Policy
    No Policy
    M2-Security
    No Policy
    No Policy
    512
    4047276480
    0
    UNREPLIED
    		  
    No Category
    0
    No Application
    No Category
    amr.ahmed
    2017-08-29 10:08:04
    Port1
    		  
    IPv4
    192.168.1.43
    10.201.0.11
    ICMP
    --
    0
    Incoming
    		  
    No Policy
    No Policy
    No Policy
    -
    No Policy
    No Policy
    No Gateway
    0
    0
    UNREPLIED
    		  
    No Category
    0
    No Application
    No Category
    -
  • 0 in reply to Amr Ahmed

    Hi Amr 

     

    Please provide us the same packet capture of the remote end with the same packets , It would seem your local network is on Port 1 and your request went out to port 1. Could you take a tcpdump of the packet 

    tcpdump 'host 10.201.0.11 

    From LAN to VPN, NAT should not be applied, you may apply NAT for VPN to LAN rule. But it's your choice.

    I suspect the ping did not respond due to the firewall of the system of the destination address. Try disabling it and check if it responds with the reply.

Reply
  • 0 in reply to Amr Ahmed

    Hi Amr 

     

    Please provide us the same packet capture of the remote end with the same packets , It would seem your local network is on Port 1 and your request went out to port 1. Could you take a tcpdump of the packet 

    tcpdump 'host 10.201.0.11 

    From LAN to VPN, NAT should not be applied, you may apply NAT for VPN to LAN rule. But it's your choice.

    I suspect the ping did not respond due to the firewall of the system of the destination address. Try disabling it and check if it responds with the reply.

Children
No Data