cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
560
Views
0
Helpful
8
Replies

Urgent help needed

The_guroo_2
Level 2
Level 2

Guys i have site to site VPN.....VPN is up....only on epc has got a problem connecting to headend application server....when i did debug i got following line can someone please explain that to me.....the ip rang eis included in access-list i have no idea whats going on

IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x2000820

8 Replies 8

JORGE RODRIGUEZ
Level 10
Level 10

Was this working or is it a new l2l setup? if it was working something must have changed in ike configuration, check complete IKE policy configuration and make sure both ends match information , e.g pre-share info isakmp key etc..

HTH

Jorge

Jorge Rodriguez

that is the issue it was working fine and suddenly this thing happens??? do you have any idea what does that mean i tried to see on web but coudlnt find it any

The question is , is it the whole tunel down or is it just one connection from source to destination having issues, do you have any other connection ok within the tunnel?

you will have to provide more information as other poster indicated " show crypto ipsec sa", you may need to also debug " debug crypto isakmp ".. but again provide information as to if complete tunel is down or if it is one connection off the tunnel having issues.

Jorge Rodriguez

I am a little confused. Is this site to site VPN between two ASAs? Is it that only one PC has the issue? May need some config to look at

Satya

only one connection is down.....the tunnel is up......and other pc's are fine....only this on eis having issue.....the strange thing is the ip of this pc is included in intrusting traffic and all other are working excepy this one.....what does this error means can you please tell me

Are you natting the source PCs? if so check whether nat changed, and also whether the other end if their ACL is permitting that one PC.

Jorge Rodriguez

It would help if you could turn on cryptp isakmp debug to see what is going on between source PC and Destination at other peer.

debug crypto isakmp (turns on debugging)

no debug crypto isakmp ( off )

and initiate interesting traffic to destination server and capture debug output and post..

Jorge Rodriguez

elparis
Cisco Employee
Cisco Employee

Could you provide the following information:

- crypto ACLs on both sides of the IPsec tunnel

- IP address of the PC that is having problems

- IP address of the application server

- Output from "sh cry ipsec sa"

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: