Re: IPSEC - ESP not working after changing transit router

philip · ‎05-27-2003

I replaced a 3640 transit router with a 7204 and it broke my network-to-network tunnel between (2) 2600 IOS VPN. The tunnel is up but the networks can not ping each other. When I failback to the 3640 the networks can ping each other again.

jfrahim · ‎05-27-2003

Hi there,

You will need to do some additional troubleshooting to find out the cause of the problem. What you can do is to check if the 2600 router on one side is encrypting the tunnel. If it is, try and see if the other side is decrypting it and vice-versa. If you are not getting the packets on the other side of the tunnel, then you might have to do debug ip packet with an ACL applied on the 7200 router to see what's going on with the ESP packets

Jazib

philip · ‎05-28-2003

I was able to see that encrypt and decrypt counters were incrementing on both ends when I did a sh crypto engine connections active. But is that ESP?

jfrahim · ‎05-28-2003

If you saw encrypts/decrypts, then it seems like your router is getting the ESP packets from the other side. Encrypts/decrypts counters are ESP packets, unless you are using NAT-T which is introduced in 12.2(15)T

Jazib

philip · ‎06-02-2003

After futher debug i received this mesage:

3w0d: IP: s=65.118.89.130 (FastEthernet0/0), d=208.45.249.68 (FastEthernet0/1), len 112, encapsulation failed, proto=50

The encapsulation is failing., But it only fails when the 7200 is in place when I replace the router with the legacy transit router everything is ok. Is this an ARP issue. If so where does the problem lie.