Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN site-to-site router upgrade problem


I have several site-to-site IPSEC VPN tunnels(using pre-shared keys) built from several 3640's(using FastEthernet) running IOS 12.2-17 to a VPN 7140 agragate(Also via FastEthernet) running IOS 12.2-15.T8. All has worked well for years. I am now upgrading all remote VPN endpoints (3640's) to 1841(FastEthernet) running IOS Advance Security 12.4-10a(with F/W and IPS turned off). One site is switched to an 851(FastEthernet) running IOS Advanced Security 12.3-8.YI2(Also with F/W and IPS turned off). All VPN endpoints are still using the exact same pre-shared keys to the VPN 7140 agragate. The tunnels work well initially allowing all IP traffic to a specific subnet and a small range of UDP packets to another subnet. After 15 - 30 minutes of inactivity of the application using the UDP packets I start to see the following messages on all endpoint 1841 and 851 routers:

IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820

When this message appears the small UDP packet range stops traveling through the tunnel. However all IP packets to the other subnet still works fine. The problem is cleared if I run a "clear cry sa" on all endpoint routers as well as on the 7140 VPN agragate until the UDP packet inactivity at the remote endpoints begins again. I've tried upgrading the IOS on the 7140 VPN agragate to IOS 12.3-12e to no avail. I tried switching the IOS on the remote 1841 routers to the IOS Advanced IP Services 12.4-10a(No F/W or IPS features built in) thinking that there may be a default F/W or IPS setting turned on with the Advanced Security 12.4-10a even though both features are turned on by default and the problem still persists.

Is there some sort of incompaibility issue between the newer Cisco routers(1800 series and 800 series) and the older Cisco model set that I am missing here? Any help would be greatly appreciated.


Re: VPN site-to-site router upgrade problem

Can you try add following command on both endpoints:

crypto map local-address

where interface is you outside interface

It binds crypto map to physical outbound interface


New Member

Re: VPN site-to-site router upgrade problem


The recommended command did not work. I also tried adding a crypto keep alive statement to re-negotiate the SA every 5 minutes of tunnel idl-time and that still did not work. Please see attached VPN endpoint and agragate router configs for additional information. Furthermore, the debug crypto ipsec and debug crypto isakmp commands show that there are outbound SAs after applying the command. The debug commands also show activity for ports 500, 51, 0 and ports in the range identified by the tunnel endpoint acls. Are the ISAKMP ports 500 and 51 supposed to traverse through the tunnel as well?