This troubleshooting guide demonstrates the available options when an additional local network cannot be reached over an established VPN connection.

  • In addition to the local network, another local network with the address range is to be accessible at the remote site.
  • However, after configuring the VPN connection, this fails. Only the network can be reached via the VPN connection.

1) “Ping” and “Tracert” in the local network of the initiator router:
1.1) From the local network, a ping to an IP address in the network at the remote site will check whether it can be reached.
In this example, a PING cannot reach the LANCOM router at the remote site in the network at the address
1.2) A “Tracert” to the address is only able to trace the route to the initiator router itself.

2) Perform an IP router trace on the initiator router:
2.1) Performing an IP router trace to the address on the initiator router shows that IP packets are being sent out over the WAN.
However, the echo requests from the remote site go unanswered. It is no “echo reply”.

3) Perform a VPN packet trace on the initiator router:
3.1) In a VPN packet trace to the address, you can see that there is something wrong with the SA's of the VPN connection (message “no sa available”).

4) Perform “show vpn” on the initiator router and on the responder router:

This procedure is also recommended if there is only one local network at each end and the networks cannot be reached.

4.1) A “show vpn” on the command line of the initiator router clearly shows that there are 2 SAs for this VPN connection: 
  • SA 1: <->
  • SA 2: <->

The command “ show vpn ” displays all of the established SAs. You can also filter to a specific remote site (VPN connection) by entering the command “show vpn @ <name of VPN connection>”.

4.2) However, a “show vpn” on the command line of the responder router shows that there is just 1 SA for this VPN connection:
  • SA 1: <->

5) How can the problem be solved?