Here is my running config, slightly modified for passwords and IPs etc.

Mostly I have messed around with NAT and Access list settings so those are different than the default coming from the CCP setup but it has acted the same throughout those changes.

I will attempt to reload and get the other info tonight and post a bit later.

Thanks for the reply

Current configuration : 5802 bytes

!

! Last configuration change at 01:09:20 UTC Mon Mar 1 1993 by admin

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-4168762193

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4168762193

revocation-check none

rsakeypair TP-self-signed-4168762193

!

!

crypto pki certificate chain TP-self-signed-4168762193

certificate self-signed 01

  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34313638 37363231 3933301E 170D3933 30333031 30303030

  34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31363837

  36323139 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100A696 5F3E27B2 3E1ED90B FCA89CAD 732073CB 7546798B 6718221E 84837519

  5ED6E124 0B01E71E DC5D38B6 10BF972C AF02B579 8C25EA26 C37DCCA3 788523EC

  6A2F7334 7C958FCD F321E32E FD4C0F22 5FEB6F86 FAA4E401 CCCE2445 C2946EA7

  565BC8D8 3548DCFF 1452E54C 5ED627E9 6C87A806 BEF5348F 34ED7248 FE8D7A73

  F1650203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603

  551D1104 18301682 14726F75 7465722E 69657069 7068616E 792E636F 6D301F06

  03551D23 04183016 80147151 929EF82B 8D80A6F7 8899D854 EAE54F4A 05CE301D

  0603551D 0E041604 14715192 9EF82B8D 80A6F788 99D854EA E54F4A05 CE300D06

  092A8648 86F70D01 01040500 03818100 619676DE CF7B6F6E 12284DCA CC48AE0D

  80B6ED39 BEC727F7 2E50C24F 39111FBB 79F1F1AA 99BFA032 7031E9ED 64B882BF

  D098B783 226D54E1 6D375E8E F73B9CD4 BE1BC1B4 EA5827F3 C24684CF F9C927D8

  51380702 188CF374 835D492F 9B86B43A 4F6D1D05 9F314DC3 B0E9F8C6 E6D7F59B

  DEF1EC73 717A2586 E8A383B1 0434D7A8

  quit

ip source-route

!

!

ip dhcp excluded-address 192.168.53.1

ip dhcp excluded-address 192.168.53.200 192.168.53.254

ip dhcp excluded-address 192.168.53.140

!

ip dhcp pool ccp-pool

   import all

   network 192.168.53.0 255.255.255.0

   default-router 192.168.53.1

   dns-server 192.168.53.253 8.8.8.8

   lease 0 2

!

!

ip cef

ip domain name example.com

ip name-server 192.168.53.253

!

!

license udi pid CISCO861-K9 sn ----------------

!

!

username myuser privilege 15 secret 5 mypassword

crypto ctcp port 10000

!

!

ip ssh version 2

!        

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group mygroup

key mykey

dns 192.168.53.1

pool SDM_POOL_1

acl 100

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group mygroup

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

interface Loopback0

ip address 10.10.10.1 255.255.255.0

!

interface FastEthernet0

switchport mode trunk

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description WAN PORT$ETH-WAN$

ip address xxx.xxx.xxx.xxx 255.255.255.240

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 192.168.53.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 10.10.10.10 10.10.10.20

ip default-gateway xxx.xxx.xxx.xxx

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source static tcp 192.168.53.253 443 interface FastEthernet4 443

ip nat inside source static tcp 192.168.53.253 80 interface FastEthernet4 80

ip nat inside source static tcp 192.168.53.253 8843 interface FastEthernet4 8843

ip nat inside source static tcp 192.168.53.253 8443 interface FastEthernet4 8443

ip nat inside source route-map rmap_nat interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.xxx

!

ip access-list extended OVERLOAD

deny   ip 192.168.53.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 192.168.53.0 0.0.0.255 any

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.53.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 permit ip 192.168.53.0 0.0.0.255 any

access-list 100 permit ip 10.10.10.0 0.0.0.255 any

no cdp run

route-map rmap_nat permit 10

match ip address OVERLOAD

!

!

control-plane

!

alias exec save copy run start

!

line con 0

no modem enable

line aux 0

line vty 0 4

transport input ssh

!

scheduler max-task-time 5000

end

I am again attempting to not show public IPs so I have edited a bit but I see where something is wrong.

When trying show ip route, I noticed that there is a line that shows with the successful connection

S        10.10.10.10/32 [1/0] via remoteipaddress, Virtual-Access2

it is missing on the unsuccessful connection.

For the show crypto ipsec sa I got

Successful connection:

router#show crypto ipsec sa

interface: Virtual-Access2

    Crypto map tag: Virtual-Access2-head-0, local addr VPNPUBLICIP

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (10.10.10.10/255.255.255.255/0/0)

   current_peer REMOTEIPADDRESS port 1263

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

    #pkts decaps: 15, #pkts decrypt: 15, #pkts verify: 15

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: VPNPUBLICIP, remote crypto endpt.: REMOTEIPADDRESS

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0x5E1E5249(1579045449)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x2A9F1BC7(715070407)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: Virtual-Access2-head-0

        sa timing: remaining key lifetime (k/sec): (4540476/3571)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x5E1E5249(1579045449)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: Virtual-Access2-head-0

        sa timing: remaining key lifetime (k/sec): (4540480/3571)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Failed Connection:

router#show crypto ipsec sa

interface: Virtual-Access2

    Crypto map tag: Virtual-Access2-head-0, local addr VPNPUBLICIP

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (10.10.10.11/255.255.255.255/0/0)

   current_peer REMOTEIPADDRESS port 1275

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 13, #pkts decrypt: 13, #pkts verify: 13

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: VPNPUBLICIP, remote crypto endpt.: REMOTEIPADDRESS

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0xCDFE847F(3456009343)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0xDB016305(3674301189)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 3, flow_id: Onboard VPN:3, sibling_flags 80000046, crypto map: Virtual-Access2-head-0

        sa timing: remaining key lifetime (k/sec): (4580327/3578)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xCDFE847F(3456009343)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 4, flow_id: Onboard VPN:4, sibling_flags 80000046, crypto map: Virtual-Access2-head-0

        sa timing: remaining key lifetime (k/sec): (4580331/3578)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

can you try the following to see if it can fix the issue?

1. use a different IP NOT within subnet 10.10.10.0/24 for loopback 0 interface

2. reconfig ACL 100 and remove "access-list 100 permit ip 10.10.10.0 0.0.0.255 any".

Thanks for the suggestions but alas, we have not found it. I showed the changes in the running config below. Same exact thing with the missing static route in the show ip route too.

interface Loopback0

ip address 172.16.1.1 255.255.255.0

Not sure why the static route was not injected into routing table after tunnel is UP.

It looks like a bug to me.

Could you try the version which is working on 850 router?

Well I am a little bit of a newbie like I said and I guess I was not sure if it would be a good idea to downgrade the firmware on the 861. I am accessing it remotely and I will have to try that later so I don't take it down and lose my access. Guess it is good to know it might be a bug rather than I am doing something wrong.

Thanks for the help

Thanks for the replies. After waiting for weeks for my order to get my first smartnet contract in place, I upgraded to c860-universalk9-mz.150-1.M4 and all is fine now.