Re: [OSL | CCIE_Security] Vol 2 > lab 20 > section 4.6

[Tyson Scott]

If you try to ping the client from the loopback what happens.   Try enabling
your debugs for ip packets etc for looking at this.  Looks like you have a
one way routing problem.

 

Regards,

 

Tyson Scott - CCIE #13513 R&S, Security, and SP

Technical Instructor - IPexpert, Inc.

Mailto:  <mailto:tsc...@ipexpert.com> tsc...@ipexpert.com

Telephone: +1.810.326.1444, ext. 208

Live Assistance, Please visit:  <http://www.ipexpert.com/chat>
www.ipexpert.com/chat

eFax: +1.810.454.0130

 

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
<http://www.ipexpert.com/communities> www.ipexpert.com/communities and our
public website at  <http://www.ipexpert.com/> www.ipexpert.com

 

From: ccie_security-boun...@onlinestudylist.com
[mailto:ccie_security-boun...@onlinestudylist.com] On Behalf Of Kingsley
Charles
Sent: Saturday, April 17, 2010 2:00 PM
To: ccie_security@onlinestudylist.com
Subject: [OSL | CCIE_Security] Vol 2 > lab 20 > section 4.6

 

I am in lab now

 

VRF aware EzVPN

 

I have connected vpn client from XP and the tunnel is up. From the client, I
am trying to ping to 7.7.17.7 i.e., the loopack interface that is in VRF
SITE1. 

 

The ping fails. On the client side I see encrypted traffic and on R7, I see
decrypted. But the reply is not going back.

 

Snippet O/Ps

 

R7# sh ip route vrf SITE1

 

C       7.7.17.0/24 is directly connected, Loopback17
S       7.7.17.102/32 [1/0] via 192.1.49.100, Virtual-Access2

 

 

R7#sh crypto ip
R7#sh crypto ipsec sa

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-4, local addr 192.1.73.7

   protected vrf: SITE1
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (7.7.17.102/255.255.255.255/0/0)
   current_peer 192.1.49.100 port 1112
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7

 

 

 

Any idea?

 

 

 

 

With regards

Kings


_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com