Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Troubleshooting VPN tunnel

I have a Cisco 800 connected via Internet to a PIX 506e. The tunnel work fine but suddenly stops to pass traffic. Ipsec and IKE tunnels are both up. What is happening?

An output from sh crypto ipsec sa is next:

interface: outside

Crypto map tag: dyn-map, local addr. 10.1.145.19

local ident (addr/mask/prot/port): (172.21.19.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

current_peer: 200.66.37.179:500

PERMIT, flags={}

#pkts encaps: 26, #pkts encrypt: 26, #pkts digest 26

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

2 REPLIES
Silver

Re: Troubleshooting VPN tunnel

The output you posted shows packets being encrypted, these are being sent. But no packets are being received. Can you run the crypto debug and try to capture the output when the link stops passing ipsec packets.

New Member

Re: Troubleshooting VPN tunnel

I tried to capture the output with debug crypto

PixNT# sh debug

debug crypto ipsec 1

debug crypto isakmp 1

debug crypto engine

debug crypto ca 1

PixNT#

and I only got the next message

ISADB: reaper checking SA 0x10b3414, conn_id = 0

ISADB: reaper checking SA 0x10b3414, conn_id = 0

ISADB: reaper checking SA 0x10b3414, conn_id = 0

ISADB: reaper checking SA 0x10b3414, conn_id = 0

ISADB: reaper checking SA 0x10b3414, conn_id = 0

ISADB: reaper checking SA 0x10b3414, conn_id = 0

ISADB: reaper checking SA 0x10b3414, conn_id = 0

ISADB: reaper checking SA 0x10b3414, conn_id = 0

no other message appear in console output.

the show crypto ipsec sa and isakmp sa are:

PixNT(config)# sh crypto isakmp sa

Total : 1

Embryonic : 0

dst src state pending created

10.1.145.19 200.66.38.12 QM_IDLE 0 2

PixNT(config)# sh crypto ipsec sa

interface: outside

Crypto map tag: dyn-map, local addr. 10.1.145.19

local ident (addr/mask/prot/port): (172.21.19.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)

current_peer: 200.66.38.12:500

PERMIT, flags={}

#pkts encaps: 282146, #pkts encrypt: 282146, #pkts digest 282146

#pkts decaps: 296455, #pkts decrypt: 296455, #pkts verify 296455

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.1.145.19, remote crypto endpt.: 200.66.38.12

path mtu 1500, ipsec overhead 56, media mtu 1500

current outbound spi: 40cb5390

inbound esp sas:

spi: 0x4daca730(1303160624)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 3, crypto map: dyn-map

sa timing: remaining key lifetime (k/sec): (4582781/11332)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x40cb5390(1087067024)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 4, crypto map: dyn-map

sa timing: remaining key lifetime (k/sec): (4592643/11327)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

PixNT(config)#

PixNT(config)#

Can you find what is happening?

Thank you

595
Views
0
Helpful
2
Replies