Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Urgent help needed

Guys i have site to site VPN.....VPN is up....only on epc has got a problem connecting to headend application server....when i did debug i got following line can someone please explain that to me.....the ip rang eis included in access-list i have no idea whats going on

IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x2000820


Re: Urgent help needed

Was this working or is it a new l2l setup? if it was working something must have changed in ike configuration, check complete IKE policy configuration and make sure both ends match information , e.g pre-share info isakmp key etc..



Community Member

Re: Urgent help needed

that is the issue it was working fine and suddenly this thing happens??? do you have any idea what does that mean i tried to see on web but coudlnt find it any

Re: Urgent help needed

The question is , is it the whole tunel down or is it just one connection from source to destination having issues, do you have any other connection ok within the tunnel?

you will have to provide more information as other poster indicated " show crypto ipsec sa", you may need to also debug " debug crypto isakmp ".. but again provide information as to if complete tunel is down or if it is one connection off the tunnel having issues.

Community Member

Re: Urgent help needed

I am a little confused. Is this site to site VPN between two ASAs? Is it that only one PC has the issue? May need some config to look at


Community Member

Re: Urgent help needed

only one connection is down.....the tunnel is up......and other pc's are fine....only this on eis having issue.....the strange thing is the ip of this pc is included in intrusting traffic and all other are working excepy this one.....what does this error means can you please tell me

Re: Urgent help needed

Are you natting the source PCs? if so check whether nat changed, and also whether the other end if their ACL is permitting that one PC.

Re: Urgent help needed

It would help if you could turn on cryptp isakmp debug to see what is going on between source PC and Destination at other peer.

debug crypto isakmp (turns on debugging)

no debug crypto isakmp ( off )

and initiate interesting traffic to destination server and capture debug output and post..

Cisco Employee

Re: Urgent help needed

Could you provide the following information:

- crypto ACLs on both sides of the IPsec tunnel

- IP address of the PC that is having problems

- IP address of the application server

- Output from "sh cry ipsec sa"

CreatePlease to create content