ISAKMP fails to start

Unanswered Question
Aug 20th, 2008
User Badges:

I am attempting to establish a VPN between a Pix515e and a Cisco 7206VXR router. I have no control of the 7206VXR as it is owned by another company.

I'm trying to setup a LAN to LAN VPN, actually a server on my end, to a Class C on the other end. The requirement is my internal server needs to use one of my public addresses when communicating through the VPN to this remote subnet.

I have NAT setup to NAT my server's internal address to a public address when the traffic is destined for this remote subnet. The ACL counter for this NAT translation increments when I ping from my server to the remote side, so it appears this is working.

I have another ACL used by my IPSec setup to define interesting traffic. This ACL uses my NATTED public address and the remote subnet to define what is interesting. When I ping I see the counter on this ACL incrementing.

Now for the problem, when I run debug crypto isakmp I get nothing, except for what's happening with my other VPN's.

I am stumped, even though interesting traffic is apparently being seen, what could be causing the Pix to not attempt the key exchange at all?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Thu, 08/21/2008 - 11:17
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


Is it possible that something is not matching up right in your config? Could the access list specified in the crypto map not quite match the identifier of the access list?, Is it possible that the peer address used in configuring the shared key is not quite the same as the peer address in the crypto map? Is it possible that packets source from the address used by IPSec do not have IP connectivity to the peer address?



dennylester Fri, 08/22/2008 - 15:00
User Badges:


I want to thank you both for responding.

I was 100% sure everything was setup correctly. It was surprising that nothing was showing while running debug.

While Googling the issue the VPN ended up coming up after an hour or so. Perhaps the remote end was down.

Thank you again for responding. If you have any insight on why the debug mode wasn't showing anything, I'd be interested in hearing about it.


Farrukh Haroon Sat, 08/23/2008 - 03:46
User Badges:
  • Red, 2250 points or more

Are you receiving routes for the 'destination' of the VPN via a dynamic routing protocol?

It could be that you did not know how to reach the other end of the VPN, therefore the VPN was not kicking in. As soon as it came up, the VPN encr/decr started.




This Discussion