Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1177
Views
0
Helpful
2
Replies

2811 won't encrypt packets

cirrushelpdesk
Level 1
Level 1

‎01-11-2008 09:35 AM - edited ‎02-21-2020 01:51 AM

I am trying to bring up a tunnel between my older 2811 and my new ISR 2811. The tunnel shows QM_IDLE with a sho cry isa sa on both devices but I can't ping across the /30 that I assigned to the tunnel interface and sho ip eigrp neigh doesn't show them as neighbors. I have 10 or so tunnels just like this on the older 2811 but this is the first attempt using the newer ISR 2811. I am using firmware version 12.4(15)T1 (C2800NM-ADVIPSERVICESK9-M). When I do a sho cry eng conn active I see decrypts but 0 encrypts. Help..

0 Helpful
2 Replies 2

Danilo Dy
VIP Alumni
VIP Alumni

‎01-11-2008 09:37 PM

Hi,

Make sure that the VPN ACL is symmetric.

Router-A VPN ACL

Source: Network-A

Destination: Network-B

Router-B ACL

Source: Network-B

Destination: Network-A

Enable this debug in both router and post the output here (check the clock if correct before turning debug on).

Router# debug crypto isakmp

Router# debug crypto isakmp error

Router# debug crypto ipsec

Router# debug crypto pki

Do you have ACL in the interface of VPN Gateway? i.e. "ip access-group ACL# in/out". This ACL should not only include VPN Gateways but also networks permit to travel thru VPN tunnel.

Regards,

Dandy

0 Helpful

cirrushelpdesk
Level 1
Level 1
In response to Danilo Dy

‎01-14-2008 08:43 AM

from the vpn gateway

access-list 180 permit gre host xxx.xxx.3.70 host 64.209.111.130

from the 2811 ISR

access-list 180 permit gre host 64.209.111.130 host xxx.xxx.3.70

I have a blanket statement to let all VPN related traffic through on my outside facing interface on the vpn gateway both ways. I don't have an ACL yet on the interface on the 2811ISR. This is all I get from the debugs, on the 2811

Jan 14 10:40:32: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

(ip) vrf/dest_addr= /141.131.3.70, src_addr= 64.209.111.130, prot= 47

on the 2811ISR

Jan 14 16:40:48.231: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:40:48.231: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:40:58.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:40:58.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:08.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:08.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:18.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:18.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:28.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:28.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:38.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:38.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card