Dialer Backup link stops working after Crypto Map is applied on the Dialer

Unanswered Question
Jun 18th, 2008
User Badges:


When the Crypto Map with IPSec configuration is applied on the Dialer Interfaces between two Locations (Branch & Data Center) - I have noticed Branch Location's ISDN Dialer interface configured as Backup for its E1 Leased Line is not establishing the Backup connection to the Data Center. The problem here is after the Crypto Map is applied on the Dialer Interface and when the Primary Leased Line fails, the Branch never places a call to the Data Center (verified on the Data Center router - sh isdn active / sh isdn history). Hence no IP / Layer 3 connectivity.

But when the Crypto Map is removed from the Dialer Interfaces. It all works fine, Branch successfully places a call to the Data Center and then IP Connectivity for forwarding the traffic.

Attached are the configuration of ISDN Backup and the IPSec / Crypto Map configuration of Branch & Data Center.

Please, REQUEST some one to help me solve this problem.


Keshava Raju.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Pravin Phadte Wed, 06/18/2008 - 03:39
User Badges:
  • Silver, 250 points or more


can you try config the dailer inter as below:

- conf t

- interface

- ip tcp adjust-mss 1200

Hope this helps



keshavahp Wed, 06/18/2008 - 22:29
User Badges:

Hi Mr. Praveen,

I have tried configuring ip tcp adjust-mss on the LAN interface of the Branch and the DC Router. Still the status is same and ISDN at the Branch do not work once Crypto Map is applied.

It is a Cisco 3825 Router at both Branch and DC end with IOS 12.4 (3)G.

Can this be a IOS Bug issue? infact i have tried upgrading it to 12.4 (10), downgrading to 12.4 (3) and 12.3 (11)YZ2. Still it does'nt work.

Pravin Phadte Thu, 06/19/2008 - 01:17
User Badges:
  • Silver, 250 points or more


It can be a bug but not so sure.

It seems to be a bit difficult for me to understand the way you have configured the crypto.

I would suggest you to add the dialer interface in the access-list on both sides of the router.

access-list 116 permit ip host




This Discussion