cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
186
Views
0
Helpful
1
Replies

Upgrade from 12.2 to 12.3 breaks IPSec

tato386
Level 6
Level 6

I recently upgraded a 1710 router from 12.2 to 12.3. The router was setup to do IPSec/GRE tunnels. After the upgrade, the router refuses to encapsulate any interesting traffic?! I checked and the config looks the same except for some misc. commands that 12.3 added. The ACL's and routing are the same. However, when I generate traffic for the tunnel the "sho cry ips sa" command shows 0 packets encap and 0 packet send errors. I removed and reapplied the crypto maps and that didn't do any good.

Any suggestions?

Thanks,

Diego

1 Reply 1

rlcarr
Level 1
Level 1

Before the router encrypts data it must successfully negotiate the Key and Encryption Domain.

Are you getting a successful phase 1 negotiation?

If you do a "show crypto isa sa" does your router show QM_IDLE with the peer.

In your Source / Dest columns is it using your outbound ISP address or the GRE Source address? (i.e Did the default mode change Tunnel vs. Transport modes)

~ron

CCNP, CCDA, CNE

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: