Hi John, What address is the NZ guy pinging on your spoke routers? The LAN address that is getting propagated?
If you do a debug icmp trace on the VPN box (assuming you can, I've never touched one) what is the ICMP message you receive? That will probably tell you everything. When you ping from your remote spoke routers to NZ, what interface address are you using to ping _from_? Can you try pinging from a server in a spoke site, or set the ping from address to be the LAN interface of your spoke router? Infact, that looks to me to be exactly what it is. You are pinging from a spoke router, and it is using the serial(?) interface address, which due to your non-contiguous network addressing (tsk tsk!) is not included in your VPN configuration, so the VPN concentrator probably sends the ICMP message to NZ but the NZ side is not configured to encrypt traffic for the network the ping came from so it never gets back. Sounds good to me... Symon -----Original Message----- From: John Brandis [mailto:[EMAIL PROTECTED] Sent: 04 March 2003 01:55 To: [EMAIL PROTECTED] Subject: Bizzare Routing/VPN Issue [7:64301] Hi All, I am sure one of you will see the problem and be able to offer a solution. I have 2 organisations here, one in Australia the other in NZ. In Australia, we have a hub and spoke point to multi-point config from the hubs perspective. I run OSPF and have all sites in area 0 (yes I know i should break this up so that each region forms its own area, but why at this time ??) My problem, which only started this morning at 5am when the tech in NZ and I decided to up the encryption settings on the VPN, I think is related to routing, or related to a crypto map error. In Sydney, I use a cisco 3005 whilst the office initiating the IPSEC connection uses a little Watchguard box. Until this morning it was simple, I could see his local lan behind the remote peer, and he could see my local networks, but not the office's on my WAN (by design). The goal of this morning was to permit NZ to be able to see all networks in Australia. We dont yet run a nice continuos IP scheme here (yet), so each network had to be delcared line by line rather than a nice summary. We implemented this network by network. I enabled my NZ counterpart access to the Australian hub site and one of the spokes. Thats when the problem started. We tried to put the next spoke site network list in the list of availiable networks, then it all fell to bits. The problem now is that the guy in NZ can ping my spoke sites routers, however from these spoke sites I cant ping him. I trace the packet, and watch it hop through my network with the last hop being the 3005 VPN concentrator that connects NZ to us. From there it times out...From my desk in the hub site in Australia, I can ping both the spoke site, and the NZ techs PC. So at this stage I can confirm that the route that works from sydney to NZ, has been redistributed via OSPF to my spoke sites, however it just does not appear to get through the tunnel, however the guy in NZ says he has 100% ping to my spoke sites. Could any one suggest where a possible problem could be ? I can see IPSEC tunnels for the various networks and I can see traffic going across them, however I have no idea why I cant access anything across the VPN from my spoke sites. The NZ guy said all traffic from Australia has a permit statement. I can only see the problem as access-list like problem on his end, as we had this working for the central site here (hub site) and for one of the spoke sites until we added more. Would appreciate any help. Thanks all Johnny b ********************************************************************** visit http://www.solution6.com UK Customers - http://www.solution6.co.uk ********************************************************************** The Solution 6 Head Office and NSW Branch has moved premises. Please make sure you have updated your records with our new details. Level 14, 383 Kent Street, Sydney NSW 2000. General Phone: 61 2 9278 0666 General Fax: 61 2 9278 0555 ********************************************************************** This email message (and attachments) may contain information that is confidential to Solution 6. If you are not the intended recipient you cannot use, distribute or copy the message or attachments. In such a case, please notify the sender by return email immediately and erase all copies of the message and attachments. Opinions, conclusions and other information in this message and attachments that do not relate to the official business of Solution 6 are neither given nor endorsed by it. ********************************************************************* ============================================= This email has been content filtered and subject to spam filtering. If you consider this email is unsolicited please forward the email to [EMAIL PROTECTED] and request that the sender's domain be blocked from sending any further emails. ============================================= Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=64324&t=64301 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
