Re: [OSL | CCIE_Security] Vol 2 > lab 20 > section 4.6

[Kingsley Charles]

You can't ping from the server right as the client is in client mode not net
ext mode?

Yes it is routing problem, but the O/Ps seems to correct.

With regards
Kings

On Sat, Apr 17, 2010 at 11:56 PM, Tyson Scott <tsc...@ipexpert.com> wrote:

>  If you try to ping the client from the loopback what happens.   Try
> enabling your debugs for ip packets etc for looking at this.  Looks like you
> have a one way routing problem.
>
>
>
> Regards,
>
>
>
> Tyson Scott - CCIE #13513 R&S, Security, and SP
>
> Technical Instructor - IPexpert, Inc.
>
> Mailto: tsc...@ipexpert.com
>
> Telephone: +1.810.326.1444, ext. 208
>
> Live Assistance, Please visit: www.ipexpert.com/chat
>
> eFax: +1.810.454.0130
>
>
>
> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
> CCIE (R&S, Voice, Security & Service Provider) certification(s) with
> training locations throughout the United States, Europe, South Asia and
> Australia. Be sure to visit our online communities at
> www.ipexpert.com/communities and our public website at www.ipexpert.com
>
>
>
> *From:* ccie_security-boun...@onlinestudylist.com [mailto:
> ccie_security-boun...@onlinestudylist.com] *On Behalf Of *Kingsley Charles
> *Sent:* Saturday, April 17, 2010 2:00 PM
> *To:* ccie_security@onlinestudylist.com
> *Subject:* [OSL | CCIE_Security] Vol 2 > lab 20 > section 4.6
>
>
>
> I am in lab now
>
>
>
> VRF aware EzVPN
>
>
>
> I have connected vpn client from XP and the tunnel is up. From the
> client, I am trying to ping to 7.7.17.7 i.e., the loopack interface that is
> in VRF SITE1.
>
>
>
> The ping fails. On the client side I see encrypted traffic and on R7, I see
> decrypted. But the reply is not going back.
>
>
>
> Snippet O/Ps
>
>
>
> R7# sh ip route vrf SITE1
>
>
>
> C       7.7.17.0/24 is directly connected, Loopback17
> S       7.7.17.102/32 [1/0] via 192.1.49.100, Virtual-Access2
>
>
>
>
>
> R7#sh crypto ip
> R7#sh crypto ipsec sa
>
> interface: Virtual-Access2
>     Crypto map tag: Virtual-Access2-head-4, local addr 192.1.73.7
>
>    protected vrf: SITE1
>    local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
>    remote ident (addr/mask/prot/port): (7.7.17.102/255.255.255.255/0/0)
>    current_peer 192.1.49.100 port 1112
>      PERMIT, flags={origin_is_acl,}
>     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
>     #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7
>
>
>
>
>
>
>
> Any idea?
>
>
>
>
>
>
>
>
>
> With regards
>
> Kings
>

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com