I have a 3 hub-and-spoke network having all 3 CS2801 a L2L IPSec tunnel to the other 2 routers. I have also VPN Client connections to all 3 routers and here is where the problem begins:
- SITE A (main site) has 3 diferent internet links: 1 for IPSec L2L to site B, 1 for IPSec L2L to site C and the other gives regular local Internet access and is the link we use to connect the VPN Clients and we have some problems with some kind of remote connections where the local modem/router has no capability to do VPN-Relay or IPSec port forwarding.
- SITE B and C: both use just one Internet link for the 2 L2L IPSec tunnels plus the VPN Client connections and all is working fine.
After several hours of troubleshooting i have no more sugestions.
use debug commands to find the symptoms causing this problem
debug crypto ipsecDisplays information about IPsec events.
debug crypto isakmpDisplays messages about Internet Key Exchange (IKE) events.
debug packet if_name [src source_ip [netmask mask]] [dst dest_ip [netmask mask]] [[proto icmp] | [proto tcp [sport src_port] [dport dest_port]] | [proto udp [sport src_port] [dport dest_port]] [rx | tx | both]Displays the packets that hit the specified interface. This command is useful when you determine the type of traffic on the inside interface of PIXfirst. This command is also used to verify that the translation intended does occur.
logging buffered levelSends syslog messages to an internal buffer that is viewed with the show logging command. Use the clear logging command to clear the message buffer. New messages append to the end of the buffer. This command is used to view the translation that is built. Logging to the buffer must be turned on when required. Turn off logging to buffer with no logging buffer level and/or no logging on.
debug icmp traceShows Internet Control Message Protocol (ICMP) packet information, the source IP address, and the destination address of the packets that arrive at, depart from, and traverse the PIX Firewall. This includes pings to the PIX Firewall unit's own interfaces. Use no debug icmp trace to turn off debug icmp trace.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :