Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2811 won't encrypt packets

I am trying to bring up a tunnel between my older 2811 and my new ISR 2811. The tunnel shows QM_IDLE with a sho cry isa sa on both devices but I can't ping across the /30 that I assigned to the tunnel interface and sho ip eigrp neigh doesn't show them as neighbors. I have 10 or so tunnels just like this on the older 2811 but this is the first attempt using the newer ISR 2811. I am using firmware version 12.4(15)T1 (C2800NM-ADVIPSERVICESK9-M). When I do a sho cry eng conn active I see decrypts but 0 encrypts. Help..

2 REPLIES

Re: 2811 won't encrypt packets

Hi,

Make sure that the VPN ACL is symmetric.

Router-A VPN ACL

Source: Network-A

Destination: Network-B

Router-B ACL

Source: Network-B

Destination: Network-A

Enable this debug in both router and post the output here (check the clock if correct before turning debug on).

Router# debug crypto isakmp

Router# debug crypto isakmp error

Router# debug crypto ipsec

Router# debug crypto pki

Do you have ACL in the interface of VPN Gateway? i.e. "ip access-group ACL# in/out". This ACL should not only include VPN Gateways but also networks permit to travel thru VPN tunnel.

Regards,

Dandy

New Member

Re: 2811 won't encrypt packets

from the vpn gateway

access-list 180 permit gre host xxx.xxx.3.70 host 64.209.111.130

from the 2811 ISR

access-list 180 permit gre host 64.209.111.130 host xxx.xxx.3.70

I have a blanket statement to let all VPN related traffic through on my outside facing interface on the vpn gateway both ways. I don't have an ACL yet on the interface on the 2811ISR. This is all I get from the debugs, on the 2811

Jan 14 10:40:32: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet.

(ip) vrf/dest_addr= /141.131.3.70, src_addr= 64.209.111.130, prot= 47

on the 2811ISR

Jan 14 16:40:48.231: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:40:48.231: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:40:58.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:40:58.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:08.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:08.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:18.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:18.232: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:28.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:28.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:38.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

Jan 14 16:41:38.233: IPSEC(recalculate_mtu): reset sadb_root 47E1CC6C mtu to 1440

956
Views
0
Helpful
2
Replies