IOS router VPN Client issue

Unanswered Question
Sep 7th, 2007
User Badges:


I do have an issue with VPN clients. The VPN client can connect, but no traffic is routed. I switched on debugging and notice that a packet is decrypted sucessful but dropped by CEF.

I got following messages:

post_crypto_ip_decrypt: Data just decrypted, 52 bytes

PostDecrypt: Particle based pak cef switched 3

CEF-Drop: Stalled adjacency for on Virtual-Access2 for destination ...

Does anybody have an idea?

C2811 IOS 12.4(15)T1

VPN Client WindowsXP 5.0, MacOS X, ...

Here is a part of the config

ip cef


interface Loopback0

no ip address


interface FastEthernet0/0

description LAN

ip address

no ip proxy-arp

ip nat inside

ip virtual-reassembly


interface Virtual-Template2 type tunnel

ip unnumbered Loopback0

ip virtual-reassembly

tunnel source Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1


crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1


crypto isakmp client configuration group XXX

key YYY




pool Pool_VPN

acl 100



max-users 4


crypto isakmp profile sdm-ike-profile-1

match identity group XXX

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 2


This config was working with IOS 12.4(11)XJ2.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
amritpatek Thu, 09/13/2007 - 05:49
User Badges:
  • Silver, 250 points or more

When running CEF, a static arp can cause CEF to loose that mac address as an adjacency. On a static, the arp timeout is set to zero. When the adjacency is lost, packets gets punted to process-level. Doing a shut/noshut of the affected interface may help you. Configuring a static route to the client also may help.


This Discussion