IPSec connection established and trafic is outgoing, but no ongoing response
-
@konstanti No they can't ping my host.
but my ping requests arrive to thier side, but I can't get any response from them -
@lmhaydii
/diagnostics/packet capture /
interface wan
host - static ip address of second side
protocol esp
start
as a result , you should see if the answers come from the second host or not?
aaaa -> bbbb (esp)
bbbb-> aaaa(esp)
.....In order for them to ping your host , a allow rule must be created on the ipsec interface
-
@konstanti Thank you kontanti,
I've already add a rule on IPSec firewall rules to allow any to any.Also, alredy trying to capture packet coming from thier side using wan and ipsec interface, but nothing !
-
@lmhaydii
It is necessary to understand cisco settings
Let him show log where you can see that esp packet went in the direction of your hostPerhaps they have an error in the acl settings
access-list 100 permit ip host 192.168.127.80 host 192.168.50.11
access-list 100 permit ip host 192.168.50.11 host 192.168.127.80alternatively , the host 192.168.127.80 the default gateway is not Cisco , and the gateway knows nothing about the network 192.168.50.0/24.
Here you can come up with many versions . However, without knowing the network configuration, it is difficult to find a solution -
@lmhaydii said in IPSec connection established and trafic is outgoing, but no ongoing response:
@derelict thank you. How can I determine with certitude that thier response or thier request are not arriving to my firewall ? There is any command to show up that ?
Yes. A packet capture. You have done that. That would be enough for me.
If you want more certainty, pcap on WAN for protocol ESP. You will see your pings (encrypted) go out but nothing come back from their side.
If you are going across NAT (NAT-T) you will need to capture UDP 4500 instead of protocol ESP.
