Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

1720 VPN client 12211T+3.6+FW+NAT+SPLIT Tunnel-Connect but no pings/traffic

Unanswered Question
Aug 22nd, 2002
User Badges:

I have the above configuration and followed to the tee the tech note:


I can now connect, prompted for username/password, get assigned an address and my client says its encrypting the correct packets, but none are returning.

Any ideas? I am wondering if I have to do anything with NAT here as I have before but nothing I see in the tech notes say anything about this. Great notes for PIX's not so great for IOS.

The IOS version is 12.2.11T1

Here is part of the config-keys are there but removed for security

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2


crypto isakmp client configuration group ******

pool vpnpool

acl 150

crypto ipsec transform-set remotes esp-3des esp-sha-hmac


crypto dynamic-map dyn-remotes 1

set transform-set remotes



crypto map remotes client authentication list vpnauth

crypto map remotes isakmp authorization list groupauthor

crypto map remotes client configuration address initiate

crypto map remotes client configuration address respond

crypto map remotes 1 ipsec-isakmp dynamic dyn-remotes

Thanks in advance for the help


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
adaggers Fri, 08/23/2002 - 11:38
User Badges:

I have been playing around with 3.6 client and 12.2(8)T5 and 12.2(11)T on a 2611 and have similar problems. Have followed examples on CCO and found that despite having the encrypt/decrypt counters going up on the client, the router refuses to send back any encrypted traffic. Despite seeing spi info for both inbound and outbound connections AND these counters incrementing, my sniffer doesn`t see any esp coming back from the router. In fact the client in my case is sending 2 pings: 1 is esp and encrypted and 1 is clear icmp. This points to a major bug. I wonder if anyone at Cisco has actually put a sniffer on these connections coz they`d realise that despite everything looking correct, it doesn`t work. Even doing a sh cryp engine conn active shows everything working hunkey dorey with counters increasing but....the sniffer never lies and it definately ain`t working! Best of luck with your endeavours but I don`t think any amount of tinkering with your config will change matters


adaggers Wed, 08/28/2002 - 14:44
User Badges:

Hi there - I posted my question on the newsgroup comp.dcom.sys.cisco a couple of days ago on and came back with an answer that solved my problem - try putting the new command "reverse route injection" under your dynamic-crypto map. This may not solve your problem but I was sure I had configured everything correctly, and I hadn`t!


This Discussion