Help troubleshooting VPN on 877

Unanswered Question
May 12th, 2010

Hi,

I'm trying to establish a site-to-site VPN connection but can't get traffic to pass through.

Please see cry show command output

U-PoS-877-01#show crypto ipsec sa

interface: Dialer1
    Crypto map tag: IPSEC_VPN, local addr 194.105.178.182

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.200.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   current_peer 194.105.164.41 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 194.105.178.182, remote crypto endpt.: 194.105.164.41
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.200.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.11.0/255.255.255.0/0/0)
   current_peer 194.105.164.41 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 208, #recv errors 0

     local crypto endpt.: 194.105.178.182, remote crypto endpt.: 194.105.164.41
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: IPSEC_VPN, local addr 194.105.178.182

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.200.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
   current_peer 194.105.164.41 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 194.105.178.182, remote crypto endpt.: 194.105.164.41
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.200.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.11.0/255.255.255.0/0/0)
   current_peer 194.105.164.41 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 208, #recv errors 0

     local crypto endpt.: 194.105.178.182, remote crypto endpt.: 194.105.164.41
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

U-PoS-877-01#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
194.105.164.41  194.105.178.182 QM_IDLE           2023 ACTIVE

IPv6 Crypto ISAKMP SA

Any help and advice would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
spremkumar Wed, 05/12/2010 - 04:29

Hi tracey

what kinda traffic you are referring here ? is you ping/trace results normal ?

Have you tried tracing the remote end ips once the tunnel is up? do a trace and check where your trace is getting stuck, that may will help you to nail the problem.

regds

Jennifer Halim Wed, 05/12/2010 - 05:31

Phase 1 is up, however, Phase 2 is not up yet as there is no inbound and outbound SAs.

If you can share the config from the other end too that would help. Or/ run "debug crypto ipsec" to see what it's failing on.

Venture101 Wed, 05/12/2010 - 07:17

Hi Halijenn,

Thanks for getting back to me.  It's appreciated.  The remote end is configured by a third party.  They are saying it's my config.

See attached for remote end configuration and crypto isakamp debug!

Cheers,

TC

Actions

This Discussion

Related Content