Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 2811 VPN Issue

Hello -

I more or less have a simple question; I cannot figure out why my VPN config is not working.  I dont get any connection attempts from either side, and nothing is showing on the debug.  Simply put; I am connecting my 2811 to my main site which runs an AdTran 4430.  I will provide all the information needed to diagnose the issue.

2811 Information:

# show version

Version 12.4(11)T

# show run


crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp key keyomitted address

--More--                           !


crypto ipsec transform-set TT esp-3des esp-md5-hmac


crypto map Total-Tec 10 ipsec-isakmp

set peer

set security-association lifetime seconds 28800

set transform-set TT

set pfs group1

match address 103






interface FastEthernet0/0

ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map Total-Tec


--More--                           interface FastEthernet0/1

ip address

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled


interface Serial0/0/0

ip address


ip route



no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0/0 overload


access-list 1 permit

access-list 103 permit ip


# show crypto map

Crypto Map "Total-Tec" 10 ipsec-isakmp

        Peer =

        Extended IP access list 103

            access-list 103 permit ip

        Current peer:

        Security association lifetime: 4608000 kilobytes/28800 seconds

        PFS (Y/N): Y

        DH group:  group1

        Transform sets={



        Interfaces using crypto map Total-Tec:


# show crypto ipsec sa

interface: FastEthernet0/0

    Crypto map tag: Total-Tec, local addr

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (

   remote ident (addr/mask/prot/port): (

   current_peer port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.:, remote crypto endpt.:

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

# show crypto isakmp sa
dst             src             state          conn-id slot status
# show access-lists
Standard IP access list 1
    10 permit, wildcard bits
Extended IP access list 103
    10 permit ip

# show crypto ipsec transform-set
Transform set TT: { esp-3des esp-md5-hmac  }
   will negotiate = { Tunnel,  },

AdTran 4430:

Initate Mode: Main
Respond Mode: Main


Preshared Key: keyomitted

Nat Traversal: Disabled V1 - Allow V2  (Note: I've played with various settings on this)


PFS: Group 1


Lifetime: 28800



DH Group: 2

Lifetime 28800

Source Networks:

Destination Networks:

The strange thing with all this is that I don't see anything in my debug logs on either side.  On top of that I don't see anything wrong with either config;  I have tired various things like rebuilding all the crypto maps, using different  initiate/respond modes (on the AdTran) and playing with the NAT traversal settings.  I just cant get it to work so hopefully someone will have an idea.

Everyone's tags (2)

Re: Cisco 2811 VPN Issue


Can you PING between public IPs on both ends? Make sure there's IP connectivity between both sides.

If there's connectivity... is there a firewall or a device in front on either side that might be blocking UDP 500 or ESP?

One test is to configure an ACL entry applied to the outside interface of the router (in the inbound direction) to allow UDP and ESP and check if that ACL is getting hitcounts when trying to initiate the tunnel from the remote end.


New Member

Re: Cisco 2811 VPN Issue

Wow - Thank you for the quick response. To answer your questions...

Yes there is public connectivity from both ends.  I.E from one router I can ping the other

No devices in front of these routers - The AdTran in this case is the firewall and does not have any policy configured to block UDP 500 I literally see no traffic to it from the Cisco, or vice versa

Good idea about the ACL for UDP on the outside interface; however I would expect to see something in my debug logs;  I just don't see any traffic from either end.

Re: Cisco 2811 VPN Issue


Sometimes if there's no ISAKMP negotiation exchange taking place between both ends, you won't see anything on the debugs.

I mean, the router could be configured correctly but it does not find the IPsec peer so won't show much on the debugs since there's no negotiation taking place.

I would suggest to check if the VPN packets are reaching the router when tying to initiate the tunnel from the other end with the ACL.


CreatePlease login to create content