IPsec and ACS problem at router 3845

Unanswered Question
Jun 5th, 2008

hi every body

recently we replace old cisco router model 2522 with model 3845 to apply IPsec configuration . it was as the following

crypto isakamp policy X

encr aes 256

authentication pre-share

group 2

crypto isakmp key [email protected] x.y.z.w

after applying the previous configuration , we discover that login to the router through ACS gives failed authentication .

my question is , how ipsec configuration affected logging through ACS server?

i appreciate your prompt response to solve this problem.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
royalblues Thu, 06/05/2008 - 10:46

Do you see any reason in the failed authentication attempts in the ACS

can you post the AAA config as well as the interresting traffic that is used for the encryption?


Richard Burts Thu, 06/05/2008 - 11:48


I wonder if the authentication request is perhaps matching the access list used to identify traffic for IPSec encryption and that is causing it to fail at ACS.

If that is the case I suspect that there will not be anything useful in the logs of ACS (since ACS would not have known that it was an authentication request) but Narayan's suggestion to check the logs is a good place to start. His request for configuration details would also be helpful.



omyma1234 Sat, 06/07/2008 - 23:20

Hi Narayan

Actually we have peer to peer routers one of then model 2811 and the other is 3845

the aaa configuration on 3845 router is

aaa authentication login default group acs local

aaa authentication ppp default group tacacs+

aaa authorization exec default group acs local

aaa authorizathion network default group tacacs+

aaa accounting exec default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

tacacs-server host x.y.z.w

tacacs-server host s.d.f.g

tacacs-server key -----------

wait your reply


cisco24x7 Sun, 06/08/2008 - 03:25

1- does AAA traffics go through the IPSec tunnel?

2- if it does, you may have to source AAA traffic

from one of the interfaces that will also be part

of the IPSec interesting traffics,

3- if #2 is correct, you also need to change

the AAA setting on the ACS to reflect the

IP address that will be coming from the Cisco 3845.

omyma1234 Sun, 06/08/2008 - 14:49

hi every body

could you please give me more details about

ACS interesting traffic configuration .

about your recommendation :also you need to change the AAA setting on the ACS to reflect the IP address that will be coming from the Cisco 3845

do you mean that add new entry to ACS server by using IP address of ipsec tunnel ?


This Discussion