Cant ping down VPN tunnel

Unanswered Question
Jun 11th, 2007


I have a problem with a VPN tunnel on a 1841 series

The router has four tunnels, all of which show as UP with sh crypto sessions.

I can ping down three of the tunnels but not the fourth. This router has an almost identical config to a number of other routers on our network, which all work.

I have attached a modified config. The network I can't ping is

Show version output

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(3f), RELEASE SOFTWARE (fc3)

Technical Support:

Copyright (c) 1986-2006 by Cisco Systems, Inc.

Compiled Fri 18-Aug-06 17:42 by alnguyen

ROM: System Bootstrap, Version 12.3(8r)T9, RELEASE SOFTWARE (fc1)

XXX uptime is 2 days, 21 hours, 2 minutes

System returned to ROM by reload at 15:36:59 UTC Fri Jun 8 2007

System image file is "flash:c1841-advipservicesk9-mz.124-3f.bin"

Cisco 1841 (revision 6.0) with 237568K/24576K bytes of memory.

Processor board ID FCZ104211TW

2 FastEthernet interfaces

2 Virtual Private Network (VPN) Modules

DRAM configuration is 64 bits wide with parity disabled.

191K bytes of NVRAM.

62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Show crypto session for the tunnel in question

Interface: FastEthernet0/1

Session status: UP-NO-IKE

Peer: 84.12.90.XXX port 500

IPSEC FLOW: permit ip

Active SAs: 2, origin: crypto map

Any help would be gratefully received


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
sundar.palaniappan Mon, 06/11/2007 - 11:11


Can you reconfigure the crypto map with different sequence numbers for each peer to something like this;

crypto map xxx 10

set peer

match address site_1

crypto map xxx 10

set peer

match address site_2

Let us know if you are still having problems.


Sundar Wed, 06/13/2007 - 02:04


Thanks for the response.

I have tried this on my router and it now works although in a strange way.

By accident we discovered that if we put the geographically furthest destination first in the crypto map, it comes up every time. If we put it as the last entry it does not work! I can not think why this should be the case, any thoughts?

Also this router does not show its static static routes when you do a sh ip route, it only shows the directly connected interfaces.

Thanks again for the help, much appreciated


sundar.palaniappan Thu, 06/14/2007 - 13:24


That's weird. I don't see why the geographically furthest destination needs to be entered in the sequence that you described. It should work as long as there is end-to-end IP connectivity between the VPN peers.

As far as your static route not showing up in the routing table if the next hop for the route is reachable the route should be installed in the routing table. If you are still having problems can you post the relevant portion of the config and the show ip route end.


Sundar Fri, 06/15/2007 - 04:00


The geographic thing made no sense to us either but it seems to work.

The static IP routes in the config are

ip classless

ip route

ip route

ip route

ip route

ip route

ip route

SH IP ROUTE output is as below

Gateway of last resort is to network is subnetted, 1 subnets

C is directly connected, FastEthernet0/1 is subnetted, 1 subnets

C is directly connected, FastEthernet0/0

S* [1/0] via

All the next-hops are reachable, I have successfully pinged them all but still the routes are not entered in the table. Any thoughts or insights are much appreciated



sundar.palaniappan Mon, 06/18/2007 - 16:39


With IPSEC you don't need those static routes the router wouldn't know which peer it needs to use to route traffic to those remote networks based on your crypto ACL/peer info found in IPSEC SA. You just need the default route to your ISP and can safely remove all the other routes.


Sundar Thu, 06/28/2007 - 01:18


Thanks for the help. I have removed the routes and re-ordered the crypto maps and it is now working OK. Thanks Again



This Discussion