I have setup IPSec between two routers,and have made debug crypto isakmp,debug crypto ipsec and debug engine commands enabled on both routers. When I use an extended ping from the source router internal interface to the Peer router internal interface, there is no debugging information showed. what's wrong?
Do you see any console messages? If you've logged in remotely and are not physically on the console port, you have to enable the display of console messages on your terminal. Use the command "term mon".
If you have done this already, then I'd start checking your crypto map and access lists. Check the ACLs, the crypto map and make sure the crypto map is applied to the interface.
can the sa negotiations be initiated? after ping, use the command "show crypto isakmp sa" to get the status,if no isakmp sa got,perhaps there are some problems in your configurations,you'd better check ACLs and its binding to the map,as well as applying the map to the interface.
Yes, I can see some console messages, and I also use the command "term mon" from the remote console port, it dosn't work.
I want to see the debugging information is for the following reason.
We set up IPSec between two 2610 routers to connect two private networks addressed 192.168.x.0 and 192.168.y.0. The NAT are not used in our system, and we use proxies for internet accesse.After the following configuration it works fine (the internal private network can see each other).After one month, when we power off one of the router for about 30 minites, and restart it. the connection has a failure. And after 12 days it works angain without much change to the configuration. The following is the configuration. I want to konw is there any bad influence on the internet from the nonat private address, for in the failure time, we find some strange routing information on internet.
In my short (two weeks!) experience with ipSec, I've found that once the connection comes up, if one router is restarted, the other router retains the initial session number and rejects any attempt to renegotiate with the restarted router.
Adding "crypto isakmp keepalive 60" to each of the isakmp policy's overcomes this as the router that hasn't been restarted will send a keepalive after each minute - finding the router at the other end has restarted will result in renegotiating.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...