Urgent help needed

Unanswered Question
Nov 19th, 2007

Guys i have site to site VPN.....VPN is up....only on epc has got a problem connecting to headend application server....when i did debug i got following line can someone please explain that to me.....the ip rang eis included in access-list i have no idea whats going on

IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x2000820

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Mon, 11/19/2007 - 19:03

Was this working or is it a new l2l setup? if it was working something must have changed in ike configuration, check complete IKE policy configuration and make sure both ends match information , e.g pre-share info isakmp key etc..



The_guroo_2 Mon, 11/19/2007 - 19:31

that is the issue it was working fine and suddenly this thing happens??? do you have any idea what does that mean i tried to see on web but coudlnt find it any

JORGE RODRIGUEZ Mon, 11/19/2007 - 20:13

The question is , is it the whole tunel down or is it just one connection from source to destination having issues, do you have any other connection ok within the tunnel?

you will have to provide more information as other poster indicated " show crypto ipsec sa", you may need to also debug " debug crypto isakmp ".. but again provide information as to if complete tunel is down or if it is one connection off the tunnel having issues.

sbaddipudi Mon, 11/19/2007 - 20:31

I am a little confused. Is this site to site VPN between two ASAs? Is it that only one PC has the issue? May need some config to look at


The_guroo_2 Mon, 11/19/2007 - 22:09

only one connection is down.....the tunnel is up......and other pc's are fine....only this on eis having issue.....the strange thing is the ip of this pc is included in intrusting traffic and all other are working excepy this one.....what does this error means can you please tell me

JORGE RODRIGUEZ Tue, 11/20/2007 - 04:12

Are you natting the source PCs? if so check whether nat changed, and also whether the other end if their ACL is permitting that one PC.

JORGE RODRIGUEZ Tue, 11/20/2007 - 13:36

It would help if you could turn on cryptp isakmp debug to see what is going on between source PC and Destination at other peer.

debug crypto isakmp (turns on debugging)

no debug crypto isakmp ( off )

and initiate interesting traffic to destination server and capture debug output and post..

elparis Mon, 11/19/2007 - 19:23

Could you provide the following information:

- crypto ACLs on both sides of the IPsec tunnel

- IP address of the PC that is having problems

- IP address of the application server

- Output from "sh cry ipsec sa"


This Discussion