Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPsec L2L VPN Problem

We have ipsec vpn tunnel between cisco 2850 ipsec router and cisco 3015 concentrator. we used citrix traffic on this tunnel and it is working fine. When we replaced cisco 3020 concentrator for cisco 2850 router we have problem with citrix connectivity over the vpn.

Could you please some one clarify

is there any bug in the vpn between hardware based encryption model 3020 and software based encryption model 3015?

thanks in advance

  • Other Security Subjects

Re: IPsec L2L VPN Problem

there should be no drama at all.

regarding the connectivity issue, just wondering:

the tunnel is up and no citrix connectivity at all; or

the tunnel is up and citrix randomly disconnect.

also, how about other traffic? can you ping?

New Member

Re: IPsec L2L VPN Problem

Hi Jackko,

Many thanks for the reply. Please find the brief of history of our problem.

Earlier we used cisco 3005 at our end and the destination end peer device is cisco 3015 vpn concentrator. Normaly users vpn connection traffic alone passing though this ipsec tunnel and rest of network traffic routed company's firewall. Users connected to the destination end citrix servers over this ipsec vpn tunnel. Due to heavy usage (eventhough we have 12mbps bandwidth) of citix server activity the cpu usage of 3005 is always high.

We ordered cisco 3020 vpn concentrator and mean while we used cisco 2850 series router for this ipsec vpn tunnel.

We got a new 3020 vpn concentrator (hardware based SEP encryption) and when replaced this new 3020 concentrator we experience users unable to login to citrix servers but the same time tunnel is up and we can able to ping the cirix servers. If we reboot the vpn contrator then it started working fine. But some time later we experience same kind of problem.

After some trouble shooting we replaced another 3020 new vpn concentrator and again we have same issue.

Now we are running with cisco 2850 series router and we dont have any problem.



New Member

Re: IPsec L2L VPN Problem

Venkatesan -

Sounds like you have a bouncey tunnel. I would compare your local encryption domain with the opposite peer. So make sure your local encryption domain matches their remote encryption domain and vice versa. Concentrators are picky, if one side has hosts defined in the ACL then the otherside must do the same. If you are defining a subnet then the other side must do so as well.

I would match up your ACls.

New Member

Re: IPsec L2L VPN Problem

Thanks for the reply.

Normaly if we used 3020 concentrator for this ipsec tunnel after some time we got received malformed packets from the destination contineously. This we can see that ipsec inbound authentication failure counts are increased on monitoring-->Ipsec traffic.

We believe due to this the citrix connection dropped and we got a authentication failure to citrix connection. Same time tunnel is up and we can able to ping the citrix server.

Awaiting the reply eagerly.

This widget could not be displayed.