Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec Problem between 3640 and 2801

I need replace 3640 to 2801, I copy the configuration of cisco 3640 and pace to the new 2801 and I have a problem with the IPSec traffic between central site and remote sites, the encrypted traffic between sites apparently is discarded because the return traffic it is not detected in "show crypto ipsec sa". this configuration work perfectly in 3640, but IPsec not work properly in 2801.

The differens between 2 router is the model, IOS version and 2801 enable the IPS feature.

Add the last configuration

8 REPLIES

Re: IPSec Problem between 3640 and 2801

hello orangel,

Can you please check the "debug crypto isakmp sa" & debug crypto ipsec ??? See where the tunnel exactly drops ? Phase 1 or Phase 2 ??

Post us the outputs if possible...

Thanks

Raj

New Member

Re: IPSec Problem between 3640 and 2801

Raj.

The VPN is UP, but the traffic between PC's not exist, I test traffic between router and is OK, and the statistics in "show crypto ipsec sa" indicate that the traffic of PC's not be decrypted in remote router.

the debugs work for see if the traffic is droped even if the VPN is UP ???

Re: IPSec Problem between 3640 and 2801

Hello

Are the end devices connected directly to the LAN on the router ?? I guess this might be problems with routing, if the tunnel is UP... Make sure the routing is clean...

See if the following doc, helps you

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml#trafficdoes

Regards

Raj

New Member

Re: IPSec Problem between 3640 and 2801

The VPN to remote sites only is connected in serial interface, the crypto map in the interface fastethernet not is used, this configuration work in 3640, but not work correctly the IPSec feature in 2801

Gold

Re: IPSec Problem between 3640 and 2801

you mentioned the vpn is up and the traffic between routers are fine. the issue may be related to the acl being applied on the interfaces.

for testing purpose, may be you can un-apply all acl. at least we can isolate the issue whether is related to acl or not.

Re: IPSec Problem between 3640 and 2801

hello orangel,

Can you please check the "debug crypto isakmp sa" & debug crypto ipsec ??? See where the tunnel exactly drops ? Phase 1 or Phase 2 ??

Post us the outputs if possible...

Thanks

Raj

ovt Bronze
Bronze

Re: IPSec Problem between 3640 and 2801

Try the following:

no crypto engine accelerator

Drop us a line if this helps.

New Member

Re: IPSec Problem between 3640 and 2801

Thanks.

The ACL 190 in serial, blocked traffic in serial interface, I do not understand the reason because in the 3640 work this ACL and match packeets and 2801 block the traffic.

143
Views
0
Helpful
8
Replies
CreatePlease login to create content