Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nortel VPN: Tunnel Establish but cannot ping

Status
Not open for further replies.

SharpAdam

Vendor
Mar 12, 2007
57
US
Greetings -
We are having a problem in which a tunnel is established but you cannot ping from the remote site to the main site until the main site first pings the remote site.

Further Info:
Remote Site is a Nortel BSR222 configured as a branch office initiator.

Main Site is a Nortel VPN 1750 configured as a branch office responder. The 1750 is located behind an Untangle firewall/router.

The VPN soft client establishes a tunnel as expected and works with no problems.

When we attempt to ping the main site from the BSR222, the tunnel establishes right away. I am still unable to ping anything at the main site.

Once I initiate a ping from the main site to the remote site, the ping responds. Once this initial ping is done, I am able to ping from the remote site to the main.

Does anyone have any feedback? Routing issue? NAT problem?
 
Neither, but that is weird...

If it were routing OR NAT, the remote to main would NEVER work until the routing or NAT/NAT exemptions were fixed.

Sounds like a client issue to me, like the main site does not trust the remote site unless the main site initiates communications, then all is well. That is much like how Cisco's CBAC works...well, sort of.

Do pings continue to work after say a few hours, when all timers (like ARP cache, etc.) are expired?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Its strange, I'll test the timeout. The tunnel is dropping after a few hours but I can see in the logs that the remote is deleting the tunnel.

I will tell you that Nortel's VPN equipment is kinda crappy. Its a little crazy to install and more over-priced than Cisco.
 
Any chance of switching to Cisco routers/ASA's? They are the best IMHO with everything, especially VPNs. They are solid machines, with AES-256 available for encrypting the IPSEC traffic, and much much more granular, as you can control NAT with acls, loopback interfaces, route maps, etc. and can control...well, everything! With the right IOS, you can also do DMVPN and/or GRE tunnels protected by IPSEC, or configured via profile (VTI tunnel), which is useful for passing protocols through (like routing protocols, OSPF, EIGRP, etc.). You can also configure site to site vpns and remote access vpns at the same time (at least in the ASA, not sure about routers, never tried). Just so much better at so many levels, and as you say, are less expensive than what you have now (which is hard to believe...lol). If you get SmartNet on them, there are many CCIEs to answer complex questions, which blows the competition way out of the water as far as customer service---they won't tell you to reboot if your car has a flat tire...lol.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
I should have seen this coming, right?

Telling me to buy a different product is NOT helpful. People come here to get assistance with problems, not be told that Cisco is endorsed by Jesus and therefore all network gear should be Cisco.

Mods, Please delete this thread as it has obviously gone down a path that will offer no assistance of any value to anyone.
 
If it were endorsed by Jesus, I would never recommend them. I'm Jewish.

Don't carry out your childish frustrations on the only person willing to help you. What would Jesus do?

Either fix your client software or sit there and be mad then...the others need to be warned about you, so hopefully this thread will not be deleted. If there is another reply, that means that you are checking up on this to see how I responded so that you can "one-up" me. I assure you, I give you the last word. And don't apologize to try and give me a guilt trip---I have no conscience :)

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top