Federico Coto F... Fri, 04/23/2010 - 12:31


According to the debugs, it seems that phase 1 is up.

You should see phase 1 active with the command:  sh cry isa sa (on both ends)

If this is the case (it seems like it), phase 2 is not establishing.

Check the status of phase 2 with the command: sh cry ips sa (on both ends)

If the problem is with phase 2, check the transform-set that you have assigned on each end for the crypto map and make sure the encryption and hash matches both sides (no PFS enabled/or enabled on both ends).

I think the debugs that you attach are not the entire negotiation, but either way the problem seems to be with phase 2.


cscyangyu Fri, 04/23/2010 - 12:57

I don't think the phase 1 was up since the isakmp status is MM_NO_STATE, If the tunnel was up , the status should be QM_IDLE. the problem is when i type the command show crypto iskamp sa , i found 3 entries for this tunnel , 2 are in MM_NO_STATE(deleted) , 1 is in QM_IDLE. Even i clear the isakmp sa , the result was no change.

Federico Coto F... Fri, 04/23/2010 - 13:32

The fact that you see the phase 1 SA QM_IDLE means is up.

The problem is then with phase 2.

Can you post/check the settings?


Federico Coto F... Mon, 04/26/2010 - 13:27

Since we have determined that the problem is on phase 2, then please check the following:

The phase 2 policy on the other end is setup for 3DES and SHA, also no PFS is used.

The interesting traffic matches the flow between the same hosts on the other side.



This Discussion