11-28-2006 09:47 AM - edited 02-21-2020 02:44 PM
I am trying to configure a VPN tunnel between a Cisco 800 router and a NetScreen-25 firewall. I am able to complete Phase 1, but Phase 2 debugs show "peer not found". What am I missing?
Solved! Go to Solution.
11-28-2006 06:48 PM
Jack,
The crypto configuration on the 800 router has overlapping access-lists.
Crypto map access-list 115 and 116 are overlapping. Meaning, the destination is the same network and they are to two different peers.
access-list 115 permit ip 192.168.103.64 0.0.0.31 192.168.101.0 0.0.0.255
access-list 116 permit ip 192.168.103.64 0.0.0.31 192.168.101.0 0.0.0.255
access-list 116 permit ip 192.168.101.0 0.0.0.255 192.168.103.64 0.0.0.31
Also, access-list 116 has a destination of 192.168.103.64 0.0.0.31 which is your network.
Please update the configuration and try to bring up the tunnel.
Let me know how it goes.
Regards,
Arul
** Please rate all helpful posts **
11-28-2006 10:50 AM
Hello,
Would it be possible if you could please upload the config from the Cisco 800 series router.
Thanks
Gilbert
11-28-2006 05:08 PM
11-28-2006 06:48 PM
Jack,
The crypto configuration on the 800 router has overlapping access-lists.
Crypto map access-list 115 and 116 are overlapping. Meaning, the destination is the same network and they are to two different peers.
access-list 115 permit ip 192.168.103.64 0.0.0.31 192.168.101.0 0.0.0.255
access-list 116 permit ip 192.168.103.64 0.0.0.31 192.168.101.0 0.0.0.255
access-list 116 permit ip 192.168.101.0 0.0.0.255 192.168.103.64 0.0.0.31
Also, access-list 116 has a destination of 192.168.103.64 0.0.0.31 which is your network.
Please update the configuration and try to bring up the tunnel.
Let me know how it goes.
Regards,
Arul
** Please rate all helpful posts **
11-29-2006 07:26 AM
Jack,
Also take a look at ACL - 117
access-list 117 permit ip 192.168.103.64 0.0.0.31 192.168.101.0 0.0.0.255
access-list 117 permit ip 192.168.101.0 0.0.0.255 192.168.103.64 0.0.0.31
You do not need the second entry.
Cheers
Gilbert
- Rate it, if it helps -
11-30-2006 09:56 AM
Arul,
That did the trick. I removed the overlapping peer and removed the access lists that weren't being used. Thanks for you help.
Jack.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide