VPN troubleshooting questions

Unanswered Question
Jun 15th, 2008

If I have a L2L VPN tunnel configured and it is not coming up,

What is the sequence of the tunnel coming up?

For example, at what point should I see the access-lists for interesting traffic getting hits in the process?

If the tunnel does not succesfully come up, should I expect to see no hits on the access-list even though the routing is ok?

My understanding is that the interesting traffic access-list are part of phase 2, but it seems that these access-lists would have to be the first thing in the process to initiate phase 1.

Doesn't there have to be traffic destined for the remote tunnel LAN in order for phase 1 to start?

Also,I have seen several posts indicating to check the sa liftimes on both ends, my understanding is that these do not have to match, that the end with the shortest time will cause a rekey.

Is that not correct?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
michael.leblanc Sun, 06/15/2008 - 16:41

A crypto ACL is used to identify traffic that requires crypto treatment.

When traffic matches permit Access Control Entries in the crypto ACL, it is passed to the crypto engine, and if IPSec SAs don't exist, Phase I should commence (i.e.: the establishment of a single bi-directional ISAKMP SA).

Once an ISAKMP SA was successfully established (Phase I), a secure channel would exist to facilitate the negotiation of IPSec SAs.

The crypto ACL does define the traffic that you wish to protect with IPSec (i.e.: Phase II) policy, as you've stated.

With respect to the ISAKMP lifetimes, if the lifetimes are NOT configured the same, the "initiator's" lifetime MUST be the longer of the two, or Phase I will not be completed successfully. The shorter lifetime will be the lifetime agreed too between the endpoints.

wilson_1234_2 Mon, 06/16/2008 - 11:25

Thanks for the reply.

Excellent answer.

Why do you think you wasted your time?

I look for all answers to the questions that I post.

Sometimes I get a slightly different answer and it helps to understand.

Thank you.

michael.leblanc Mon, 06/16/2008 - 13:28


It may serve your needs to post the same question in multiple Cisco forums, but it results in the unnecessary duplication of other's efforts.

If you had posted in a single forum, I would have seen that your post had been adequately answered by another respondent, and would have:

1. Supplemented the other respondent's post if I had more to offer.

2. Otherwise, moved on to helping someone else.

When I donate my time to compose a response, and then find that the expenditure of my time was in vain, that doesn't sit well with me.

My issue is not with you personally, but rather the practice of double-posting. To me the practice seems self-serving, and doesn't demonstrate respect for the efforts of others.

I appreciate you asking (rather than responding with flames), and considering my views.


This Discussion