[vpn-help] Cisco ASA cannot see internal network

kevin vpn kvpn at live.com
Thu Apr 28 22:21:05 CDT 2011


On Tue, 26 Apr 2011 15:22:31 -0400
Robert Bourguignon <robertb at plusinc.net> wrote:

> Hello,
>                 I can connect to the Firewall with tunnel enabled.
> But I cannot see anything on the inside network. Included is the ASA
> config and the IPsec Trace. I can't ping, tracert, etc.
> 
...
> 11/04/26 15:07:45 ii : inspecting ARP request ...
> 11/04/26 15:07:45 DB : policy not found
> 11/04/26 15:07:45 ii : ignoring ARP request for 192.168.2.41, no
> policy found 
...
> 11/04/26 15:07:46 ii : inspecting ARP request ...
> 11/04/26 15:07:46 DB : policy not found
> 11/04/26 15:07:46 ii : ignoring ARP request for 192.168.0.1, no
> policy found 
> 11/04/26 15:07:46 ii : inspecting ARP request ...
> 11/04/26 15:07:46 DB : policy found
> 11/04/26 15:07:46 DB : policy not found
> 11/04/26 15:07:46 ii : spoofing ARP response for 192.168.1.1
> 11/04/26 15:07:46 DB : policy found
> 11/04/26 15:07:46 DB : policy ref increment ( ref count = 1, policy
...
> 11/04/26 15:07:46 ii : inspecting ARP request ... 
> 11/04/26 15:07:46 DB : policy not found
> 11/04/26 15:07:46 ii : ignoring ARP request for 192.168.0.1, no
> policy found 
...
> 11/04/26 15:07:47 ii : inspecting ARP request ...
> 11/04/26 15:07:47 DB : policy found
> 11/04/26 15:07:47 DB : policy not found
> 11/04/26 15:07:47 ii : spoofing ARP response for 192.168.1.100
> 11/04/26 15:07:47 DB : policy found
...
>

Hi Robert,

I'm not familiar with Cisco configurations, so I can't really help you
much, but I did notice two things you can try.

1. I think you've got the Log output level set too low on the VPN Trace
utility, or you started it after you'd connected the VPN.  Please set
it to at least informational (farther down the drop down list is more
verbose) and recapture the trace, starting from before you begin to
connect the VPN.

2. I notice a bunch of ARP request errors that don't match policy.  I'm
not sure what they are about, but the messages suggest to me that your
address ranges in the policy tab might not be set correctly.

3. In the VPN Trace utility, when you've connected to the VPN, check
the "Security Associations" tab to see if there are bytes being
transferred in each direction.  Also look at the state.  You should
hope to see Mature instead of Larval.



More information about the vpn-help mailing list