I am trying to establish a site-to-site VPN tunnel between 2 offices. One office has a Cisco 1841 and the other a pair of ASA 5510's. I get the tunnel to establish without a problem. The problem is that the traffic going to the 1841 destined for the ASA will not encrypt for this particular tunnel. I get decaps on the session but no encaps. I have reconfigured the tunnel several times but keep getting the same result:
Interface: FastEthernet0/1 Session status: UP-ACTIVE Peer: 126.96.36.199 port 500 fvrf: (none) ivrf: (none) Phase1_id: 188.8.131.52 Desc: (none) IKE SA: local 184.108.40.206/500 remote 220.127.116.11/500 Active Capabilities:(none) connid:98 lifetime:23:45:02 IPSEC FLOW: permit ip 192.168.5.0/255.255.255.0 10.0.96.0/255.255.240.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 17 drop 0 life (KB/Sec) 4569995/2704 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4569996/2704
I would start by looking into your routing, NAT, and ACL configurations. Is this router in the default routed path for the hosts that you are trying to reach via the tunnel? If not, you may need to add static routes or configure RRI and a routing protocol in order to resolve. If the return traffic is getting to the router, ensure that it is not being blocked by an input ACL. Also make sure that the return traffic is being exempt from any NAT policies that you may have.
I copied the same config that I made for another tunnel that is working. This router serves as the DG for all machines. There are no inbound ACL's that would affect this traffic. I am even getting hits on the configured access-list that the traffic needs to match. When I run a trace from a machine, it hits the router and then goes outside without encrypting. When I run a trace from the same machine to another location, it encrypts and travels over the tunnel.
I don't even know what other debugs to run beside debug crypto ipsec and debug crypto isakmp that would help.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :