We have a set of 3845's with HSRP on LAN and the WAN. The 3845's are behind a Juniper (nat traversal with 1 to 1 Nat) which is the internet router (gateway). I have a cisco 871 on internet that can build its IPsec tunnel to the Natted physical IP's of the 3845's but will not build its tunnel to the to the HSRP VIP address.
3845 IP 192.168.245.45------
|-------VIP 192.168.245.44
3845 IP 192.168.245.46------
The above is Natted to the following and all three are Natted.
Juniper IP 12.x.x.45------
|------- 12.x.x.44
Juniper IP 12.x.x.46------
The 3845 shows the following message when attempting to build Ike session on the VIP addresss:
*May 27 16:29:38.423: %CRYPTO-4-IKMP_NO_SA: IKE message from 70.42.209.188 has no SA and is not an initialization offer
*May 27 16:33:24.055: %CRYPTO-4-IKMP_NO_SA: IKE message from 70.42.209.188 has no SA and is not an initialization offer
*May 27 16:38:56.735: %CRYPTO-4-IKMP_NO_SA: IKE message from 70.42.209.188 has no SA and is not an initialization offer
The 871 Spoke increments the connection ID and builds QM_IDLE over and over and never deletes the older sesisons.
Any Ideas?
TIA!
Message was edited by: Gerard Roy - Head End Config added