Pinging across VPN tunnel

Question

I have built a VPN tunnel between an Azure virtual network and Cisco 881 router. I have a virtual machine sitting on the Azure virtual network, but the router isn't able to ping the virtual machine. Also the router cannot ping the virtual machine. So if someone can help me figure out what I'm missing, that would be great! Here's the configs.

interface Tunnel1
 ip address 169.254.0.1 255.255.255.0
 ip tcp adjust-mss 1350
 tunnel source FastEthernet4
 tunnel mode ipsec ipv4
 tunnel destination 104.215.95.202
 tunnel protection ipsec profile vti
!
interface FastEthernet4
 description Interface_to_3rd_party_ISP
 ip address 97.105.10.190 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 description Management_interface
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
ip route 0.0.0.0 0.0.0.0 97.105.10.189
ip route 172.16.0.0 255.255.255.0 Tunnel1
!
access-list 1 permit 192.168.251.0 0.0.0.255
access-list 1 permit 24.173.194.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255

I hope this is enough info for someone to help me figure out why I can't ping across. The IP of the VM I'm trying to ping is 172.16.0.4.

Thank you!

I'm adding some show commands as requested.

sh interfaces tunnel 1
Tunnel1 is up, line protocol is up
  Hardware is Tunnel
  Internet address is 169.254.0.1/24
  MTU 17878 bytes, BW 100 Kbit/sec, DLY 50000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 97.105.10.190 (FastEthernet4), destination 104.215.95.202
   Tunnel Subblocks:
      src-track:
         Tunnel1 source tracking subblock associated with FastEthernet4
          Set of tunnels with source FastEthernet4, 1 member (includes iterators                                                                                                                                                             ), on interface <OK>
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Tunnel transport MTU 1438 bytes
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "vti")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 1d17h
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 73
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     1061 packets input, 33976 bytes, 0 no buffer
     Received 0 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     79 packets output, 5631 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out

sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

sh crypto ipsec sa
interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 97.105.10.190

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 104.215.95.202 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6
    #pkts decaps: 1065, #pkts decrypt: 1065, #pkts verify: 1065
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 97.105.10.190, remote crypto endpt.: 104.215.95.202
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0xD77E621E(3615384094)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xF41C8A8E(4095511182)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 422, flow_id: Onboard VPN:422, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4228180/3545)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD77E621E(3615384094)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 421, flow_id: Onboard VPN:421, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4228181/3545)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

this question lack the `sh inter tun1`, `sh crypto isakmp sa` and `sh crypto ipsec sa` output. — drookie, Sep 25 '15 at 02:30
SAs and the tunnel seem to be just fine. Now please supply me with the result of the `ping ` made from the cisco box. — drookie, Sep 25 '15 at 17:54
Also note that I don't receive notifications about this post since you are editing it without posting any new comments. — drookie, Sep 25 '15 at 18:06
ping 104.215.95.202 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 104.215.95.202, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) — NSH, Sep 25 '15 at 18:41
No, no.. Sorry, I mean ping via tunnel - try to ping other side of the tunnel, some address from the network 169.254.0.0/24, don't know what you assigned to the remote end. Probably .2. — drookie, Sep 25 '15 at 18:43
Okay, so my VN address space in Azure is 172.16.0.0/24 the IP of a VM in that network is 172.16.0.4. So I pinged that IP. `ping 172.16.0.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.0.4, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)` — NSH, Sep 25 '15 at 18:51
Wrong. First you should really check the liveness of the tunnel, by pinging it's other end. If there's no other end of the tunnel, if the Azure router just hadles ipsec - that's one possible reason of the connectivity absence. If the other end does exist, but it doesn't answer - thats another reason. I personally am unaware about Azure VTI capability (and this is exactly the type of your tunnel), so it's up to you to investigate. — drookie, Sep 25 '15 at 18:57

Pinging across VPN tunnel

0 Answers0