01-12-2006 04:18 PM - edited 02-21-2020 02:11 PM
I need replace 3640 to 2801, I copy the configuration of cisco 3640 and pace to the new 2801 and I have a problem with the IPSec traffic between central site and remote sites, the encrypted traffic between sites apparently is discarded because the return traffic it is not detected in "show crypto ipsec sa". this configuration work perfectly in 3640, but IPsec not work properly in 2801.
The differens between 2 router is the model, IOS version and 2801 enable the IPS feature.
Add the last configuration
01-13-2006 06:54 AM
hello orangel,
Can you please check the "debug crypto isakmp sa" & debug crypto ipsec ??? See where the tunnel exactly drops ? Phase 1 or Phase 2 ??
Post us the outputs if possible...
Thanks
Raj
01-13-2006 08:49 AM
Raj.
The VPN is UP, but the traffic between PC's not exist, I test traffic between router and is OK, and the statistics in "show crypto ipsec sa" indicate that the traffic of PC's not be decrypted in remote router.
the debugs work for see if the traffic is droped even if the VPN is UP ???
01-13-2006 09:05 AM
Hello
Are the end devices connected directly to the LAN on the router ?? I guess this might be problems with routing, if the tunnel is UP... Make sure the routing is clean...
See if the following doc, helps you
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#trafficdoes
Regards
Raj
01-13-2006 12:03 PM
The VPN to remote sites only is connected in serial interface, the crypto map in the interface fastethernet not is used, this configuration work in 3640, but not work correctly the IPSec feature in 2801
01-13-2006 04:37 PM
you mentioned the vpn is up and the traffic between routers are fine. the issue may be related to the acl being applied on the interfaces.
for testing purpose, may be you can un-apply all acl. at least we can isolate the issue whether is related to acl or not.
01-13-2006 06:54 AM
hello orangel,
Can you please check the "debug crypto isakmp sa" & debug crypto ipsec ??? See where the tunnel exactly drops ? Phase 1 or Phase 2 ??
Post us the outputs if possible...
Thanks
Raj
01-16-2006 12:05 AM
Try the following:
no crypto engine accelerator
Drop us a line if this helps.
01-17-2006 08:02 AM
Thanks.
The ACL 190 in serial, blocked traffic in serial interface, I do not understand the reason because in the 3640 work this ACL and match packeets and 2801 block the traffic.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: