11-19-2007 06:24 PM - edited 03-11-2019 04:32 AM
Guys i have site to site VPN.....VPN is up....only on epc has got a problem connecting to headend application server....when i did debug i got following line can someone please explain that to me.....the ip rang eis included in access-list i have no idea whats going on
IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x2000820
11-19-2007 07:03 PM
Was this working or is it a new l2l setup? if it was working something must have changed in ike configuration, check complete IKE policy configuration and make sure both ends match information , e.g pre-share info isakmp key etc..
HTH
Jorge
11-19-2007 07:31 PM
that is the issue it was working fine and suddenly this thing happens??? do you have any idea what does that mean i tried to see on web but coudlnt find it any
11-19-2007 08:13 PM
The question is , is it the whole tunel down or is it just one connection from source to destination having issues, do you have any other connection ok within the tunnel?
you will have to provide more information as other poster indicated " show crypto ipsec sa", you may need to also debug " debug crypto isakmp ".. but again provide information as to if complete tunel is down or if it is one connection off the tunnel having issues.
11-19-2007 08:31 PM
I am a little confused. Is this site to site VPN between two ASAs? Is it that only one PC has the issue? May need some config to look at
Satya
11-19-2007 10:09 PM
only one connection is down.....the tunnel is up......and other pc's are fine....only this on eis having issue.....the strange thing is the ip of this pc is included in intrusting traffic and all other are working excepy this one.....what does this error means can you please tell me
11-20-2007 04:12 AM
Are you natting the source PCs? if so check whether nat changed, and also whether the other end if their ACL is permitting that one PC.
11-20-2007 01:36 PM
It would help if you could turn on cryptp isakmp debug to see what is going on between source PC and Destination at other peer.
debug crypto isakmp (turns on debugging)
no debug crypto isakmp ( off )
and initiate interesting traffic to destination server and capture debug output and post..
11-19-2007 07:23 PM
Could you provide the following information:
- crypto ACLs on both sides of the IPsec tunnel
- IP address of the PC that is having problems
- IP address of the application server
- Output from "sh cry ipsec sa"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: