Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
403
Views
3
Helpful
7
Replies

crypto-IPSEC problem after configuration

cindylee27
Level 1
Level 1

‎12-05-2007 02:22 AM - edited ‎03-03-2019 07:48 PM

Hi Experts,

I faced with the problem after ipsec configuration. Attached is the debug crypto message for ipsec,isakmp and engine. Hope able to get some lights from you guys.

Thanks.

Labels:
Preview file
6 KB
0 Helpful
7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

‎12-05-2007 02:34 AM

Hi Cindy

1) Can you post the debug from both devices - sometimes it is helpful to see what both ends are doing.

2) When you run a "sh crypto isa sa" do you see "MM_NO_STATE" in the output ?

It looks like it is failing on phase 1 - usually means one of 2 things

1) There are no matching isakmp policies

2) The shared key does not match.

Could you post configs as well together with the IP addressing details ie. what IP are you connecting from and what IP are you trying to connect to ?

Jon

0 Helpful

cindylee27
Level 1
Level 1
In response to Jon Marshall

‎12-05-2007 06:16 PM

Thanks Jon.

1) I am trying to get the debug, but seems like the debug is not running although I console in to the routers.

I have done a "term mon" but to no avail.

Did a "show debug" and the debugging is on.

Need your advise here.

2) There is no output.

The config as attached.

20.20.20.20 and 20.20.20.21 (ROUTERS' WAN CONNECTION) are on Interface FastEthernet and they are configured to crypto map.

Thanks.

18440-rtrhbc.log
0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to cindylee27

‎12-05-2007 11:41 PM

Cindy

Can you confirm which IP address you are connecting from and which IP address you are connecting to.

The config looks fine as far as i can see.

Jon

0 Helpful

cindylee27
Level 1
Level 1
In response to Jon Marshall

‎12-06-2007 06:05 AM

Jon,

PC (192.168.1.1) - SW - 192.168.1.254 (rtrira) WAN IP: 20.20.20.20 <----> 20.20.20.21 (rtrhbc) 192.168.2.254 - SW - PC (192.168.2.1)

Not sure if this is clear to you, if not , let me know again ya..

Thanks.

0 Helpful

cindylee27
Level 1
Level 1
In response to cindylee27

‎12-06-2007 04:39 PM

Another info is..

I am trying to ping to 192.168.2.1 to establish if the ipsec is working..but got request timed out..

Thanks.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to cindylee27

‎12-06-2007 10:01 PM

Cindy

Contrary to what i said before from the debugging it looks like Phase 1 is completing and Phase 2 is the issue.

Your configs look absolutely fine to me, the only thing that i wouldn't normally put in are the static routes to the remote networks ie.

rtrhbc

ip route 192.168.1.0 255.255.255.0 20.20.20.20

rtrira

ip route 192.168.2.0 255.255.255.0 20.20.20.21

You don't need these routes as the crypto access-lists, access-list 105 in your configs, are what tells the router how to reach the remote network.

Could you remove these static routes and try again.

Jon

cindylee27
Level 1
Level 1
In response to Jon Marshall

‎12-07-2007 12:28 AM

Jon,

Not sure how it happened..i removed the crypto config and put it back again.

Seems like it is working now.. :)

Thanks for your help again..

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card