crypto-IPSEC problem after configuration

Unanswered Question
Dec 5th, 2007

Hi Experts,

I faced with the problem after ipsec configuration. Attached is the debug crypto message for ipsec,isakmp and engine. Hope able to get some lights from you guys.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Jon Marshall Wed, 12/05/2007 - 02:34

Hi Cindy

1) Can you post the debug from both devices - sometimes it is helpful to see what both ends are doing.

2) When you run a "sh crypto isa sa" do you see "MM_NO_STATE" in the output ?

It looks like it is failing on phase 1 - usually means one of 2 things

1) There are no matching isakmp policies

2) The shared key does not match.

Could you post configs as well together with the IP addressing details ie. what IP are you connecting from and what IP are you trying to connect to ?


cindylee27 Wed, 12/05/2007 - 18:16

Thanks Jon.

1) I am trying to get the debug, but seems like the debug is not running although I console in to the routers.

I have done a "term mon" but to no avail.

Did a "show debug" and the debugging is on.

Need your advise here.

2) There is no output.

The config as attached. and (ROUTERS' WAN CONNECTION) are on Interface FastEthernet and they are configured to crypto map.


Jon Marshall Wed, 12/05/2007 - 23:41


Can you confirm which IP address you are connecting from and which IP address you are connecting to.

The config looks fine as far as i can see.


cindylee27 Thu, 12/06/2007 - 06:05


PC ( - SW - (rtrira) WAN IP: <----> (rtrhbc) - SW - PC (

Not sure if this is clear to you, if not , let me know again ya..


cindylee27 Thu, 12/06/2007 - 16:39

Another info is..

I am trying to ping to to establish if the ipsec is working..but got request timed out..


Jon Marshall Thu, 12/06/2007 - 22:01


Contrary to what i said before from the debugging it looks like Phase 1 is completing and Phase 2 is the issue.

Your configs look absolutely fine to me, the only thing that i wouldn't normally put in are the static routes to the remote networks ie.


ip route


ip route

You don't need these routes as the crypto access-lists, access-list 105 in your configs, are what tells the router how to reach the remote network.

Could you remove these static routes and try again.


cindylee27 Fri, 12/07/2007 - 00:28


Not sure how it happened..i removed the crypto config and put it back again.

Seems like it is working now.. :)

Thanks for your help again..


This Discussion