03-08-2007 12:40 PM - edited 02-21-2020 02:54 PM
Hello, guys. After updating from 12.2(37) -GD- on 7200 to a 12.3(22) only peers on Frame relay links are able to terminate IPSec tunnels to this 7200. The routers connected to the metroE cannot. If we go back and boot with the 12.2(37) the problem disappears. The configuration is the same. Any suggestions? We are authenticating using RSA and we have 2600s and 2800s as spokes.
Thanks in advance!
03-12-2007 10:07 AM
Hello,
Did you get this resolved?
If not, can you send me the exact code you tried to upgrade to and the code you are running
Eg: c7200.......
Thanks
Gilbert
03-12-2007 10:45 AM
Hello
I didn't.
Here are the images and the results.
c2600-ik8s-mz.122-6.bin (spoke a -testing-)
c7200-ik8s-mz.122-37.bin (hub a)
This is what we had for some time and it worked fine.
c7200-ik9s-mz.123-22.bin
This is the upgrade we have installed after a crash and the one that causes the problem.
Last, we upgraded the testing spoke.
c2600-ik8s-mz.122-40.bin (spoke a)
c7200-ik9s-mz.123-22.bin (hub a)
With the last upgrade running, the following tests were made:
- DIfferent transforms-sets with many proposals.
- PFS grupo2 on and off.
- IKE with PSK.
I hope this helps and thanks a lot!
Guido
03-14-2007 02:41 PM
Hello
I have new date that might help us all to figure this out.
- We tested MTU and though we verified 1500 bytes, we set it to a value of 1300 just to make sure. Extended ping confirmed the new setting.
- We changed to PSK instead of RSA-Sig.
- And here I have attached a partial output from a "debug crypto isakmp".
I hope this helps and thanks again!
Guido
03-16-2007 06:55 AM
The error is NOTIFY PROPOSAL_NOT_CHOSEN. This means that the transform sets or access list
do not match on the peers.
Check the configuration on both peers and verify that they match. Check the access list in either side and make sure that they are symmetric (or mirror of the other side)
03-16-2007 07:38 AM
Medan
Thanks for your reply.
My mistake not to post the tests we've run and the items checked. One of the elements we first looked into was the ACL on both sides and they match (mirrored). The thing is, with the very same config, we boot with 12.3(xx) and the issue arises. With 12.2(xx) and without touching the configuration, the problem goes away.
This is what we tried so far with 12.3(22)
on the hub router.
- Different transforms-sets Des and 3des.
- Crypto ACLs ok.
- Upgrade spoke to 12.2(40).
- PFS grupo 2.
- Without PFS and IKE PSK.
- 1500 bytes MTU checked but set it to 1300 for testing porposes.
Note: Tens of other routers (same platforms and IOS release) terminate their tunnels over frame relay links without problem. 20 routers (over metro) out of 120 have this problem.
Thanks a lot!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: