Real basic config here people. I have an IPsec config from 2600 to Pix and an ACL limited to one host at either end. When the Pix end initiates the tunnel everything is ok, but there is no communication between the hosts. (ie pings fail)
The router cannot initiate the tunnel at all and it looks as though there is a routing issue. I have defined a single host to host ACL and this is in my crypto map which has been configured on my ethernet port. When I debug the ACL and ping from the router side host I can see traffic arrive at the router but not bring the tunnel up ..
I'm baffled and sure it's it something very simple. IOS Ver 12.1
I have removed the local-address statement but it's still not working. I have a feeling that the frame relay configuration on the serial interface was causing me problems as I originally had the tunnel terminating on this interface but was having problems getting traffic up in either direction. I thought that it was because they haven't defined sub interfaces for their traffic. Wasn't sure really though!
I have since upgraded from 12.0 to 12.1 though .. and at your suggestion have changed the interface .. I am now getting IPsec traffic across .. thanks so much!
During the typical life of the IKE SA, as defined by the RFCs, packets are only exchanged over this SA when an IPSec QM negotiation is required at the expiration of the IPSec SAs. For a Cisco IOS device the default lifetime of an IKE SA is 24 hours and that of an IPSec SA is one hour. As mentioned earlier there is no standards-based mechanism for either type of SA to detect loss of a peer, except when the QM negotiation fails. These facts imply that for IOS defaults an IPSec termination point could be forwarding data into a black hole for as long as one hour before the protocol detects a loss of connectivity.
By implementing a keepalive feature over the IKE SA in Cisco IOS software, Cisco has provided network designers with a simple and non-intrusive mechanism for detecting loss of connectivity between two IPSec peers. The keepalive packets by default are sent every 10 seconds. Once three packets are missed, an IPSec termination point concludes that it has lost connectivity with its peer.
I believe it's possible to do this, I believe you can also identify multiple peers in your 2600 crypto map so if the first is unavailable it tries the second.
I have had it occur that when a secondary address is defined on an interface, the crypto map has used the secondary address rather than the primary for negotiation. It's visible using the show crypto ipsec sa comand on the router
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :