Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec VPN is not coming up...

Hi Experts,

Is there any way by which we can surely say that port 500 is bloacked at ISP side?

My IPSec VPN between two Cisco router in a production network is not coming up and experts are saying that the port 500 is blocked somewhere in between ISP devices.

Thanks

6 REPLIES
Super Bronze

IPSec VPN is not coming up...

Hi,

I would personally generate traffic on one site and check the outputs on the devices to confirm if the remote end sees the L2L VPN negotiation and also confirm if it sends back message to the local router.

First you should perhaps put a continuous ICMP from some host that is supposed to go through the L2L VPN to the remote network.

I would then check the output of this command on the local router

show crypto isakmp sa

You could also check the same output from the remote end device.

We would need to see those outputs while traffic matching the L2L VPN configurations is being sent to the router.

Take the output of the above command multiple times while you are generating traffic (depending how far the negotiation goes the output of the command might vary when you give it multiple times)

- Jouni

Super Bronze

IPSec VPN is not coming up...

Also,

Naturally if you are able you could naturally capture traffic on the sites in front of the routers to see if the UDP/500 traffic is seen coming to your routers.

- Jouni

New Member

IPSec VPN is not coming up...

Hi JouniForss,

 

Thanks for your valuable response!!!

 

I have tried what you have mentioned, below is the outcome from the local router:

 

Router##sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

59.x.x.x   10.x.x.x    MM_NO_STATE          0    0 ACTIVE

59.x.x.x   10.x.x.x    MM_NO_STATE          0    0 ACTIVE (deleted)

 

Router##sh crypto session remote 59.x.x.x

Crypto session current status

 

Interface: FastEthernet0/0

Session status: DOWN-NEGOTIATING

Peer: 59.x.x.x port 500

  IKE SA: local 10.x.x.x/500 remote 59.x.x.x/500 Inactive

  IPSEC FLOW: permit ip 172.x.x.x/255.255.252.0 172.x.x.x/255.255.254.0

        Active SAs: 0, origin: crypto map

 

Router##sh crypto session remote 59.x.x.x

Crypto session current status

 

Interface: FastEthernet0/0

Session status: DOWN-NEGOTIATING

Peer: 59.x.x.x port 500

  IKE SA: local 10.x.x.x/500 remote 59.x.x.x/500 Inactive

  IPSEC FLOW: permit ip 172.x.x.x/255.255.252.0 172.x.x.x/255.255.254.0

        Active SAs: 0, origin: crypto map

 

Router#sh crypto ipsec sa

 

interface: FastEthernet0/0

    Crypto map tag: PUNJAB_FTR_VPN, local addr 10.x.x.x

 

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.x.x.x.0/255.255.252.0/0/0)

   remote ident (addr/mask/prot/port): (172.x.x.x/255.255.254.0/0/0)

   current_peer 59.x.x.x port 500

     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 38, #recv errors 0

 

     local crypto endpt.: 10.x.x.x., remote crypto endpt.: 59.x.x.x

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x0(0)

 

     inbound esp sas:

 

     inbound ah sas:

 

     inbound pcp sas:

 

     outbound esp sas:

 

     outbound ah sas:

 

     outbound pcp sas:

 

and here are the outcome of remote router:

 

Router2#sh cry isa sa

 

IPv4 Crypto ISAKMP SA

 

dst             src             state          conn-id slot status

59.x.x.x.   10.x.x.x   MM_NO_STATE          0    0 ACTIVE

59.x.x.x   10.x.x.x   MM_NO_STATE          0    0 ACTIVE (deleted)

 

Router2#sh crypto session remote 59.x.x.x

 

Crypto session current status

Interface: FastEthernet0/0

Session status: DOWN-NEGOTIATING

 

Peer: 59.x.x.x.x port 500

 

IKE SA: local 10.x.x.x/500 remote 59.x.x.x/500 Inactive

 

IKE SA: local 10.x.x.x/500 remote 59.x.x.x/500 Inactive

 

IPSEC FLOW: permit ip 172.x.x.x/255.255.254.0 172.x.x.x/255.255.252.0

 

Active SAs: 0, origin: crypto map

 

Router##sh crypto ipsec sa

 

interface: FastEthernet0/0

 

Crypto map tag: VPN, local addr 10.x.x.x

 

protected vrf: (none)

 

local  ident (addr/mask/prot/port): (172.x.x.x/255.255.254.0/0/0)

 

remote ident (addr/mask/prot/port): (172.x.x.x/255.255.252.0/0/0)

 

current_peer 59.x.x.x port 500

 

PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

 

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

 

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

 

#pkts compressed: 0, #pkts decompressed: 0

 

#pkts not compressed: 0, #pkts compr. failed: 0

 

#pkts not decompressed: 0, #pkts decompress failed: 0

 

#send errors 63966, #recv errors 0

 

local crypto endpt.: 10.x.x.x, remote crypto endpt.: 59.x.x.x

 

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

 

current outbound spi: 0x0(0)

 

inbound esp sas:

 

inbound ah sas:

 

inbound pcp sas:

 

outbound esp sas:

 

outbound ah sas:

 

outbound pcp sas:

 

 

 

I am not sure whether the problem is from ISP side or from local side, as in both the router other tunnel are working properly. by looking at the above command what do you think where the problem could exists?

New Member

Bhuvan,check what is default

Bhuvan,

check what is default gateway of your vpn firewall? make sure that on that device, you have allowed that.

generally there should be a border router in your environment from where udp and tcp traffic should be allowed via ACL.

 

New Member

Jigar,Thanks for replay!!!VPN

Jigar,

Thanks for reply!!!

VPN is configured between two cisco 2811 router, at local router there are arround 25 tunnel is created whereas in remote router there are 3 tunnel created. now the problem is, at local router and remote router all other tunnel are working fine except only one tunnel which is mentioned above.

As per my knowledge the udp or tcp traffic is allowed by default in router, there is no need to apply ACL for that. 

kindly share your views about it or what other problem can made the tunnel down?

New Member

 Hi Experts...kindly reply...

 

Hi Experts...

kindly reply....

 

1046
Views
0
Helpful
6
Replies
CreatePlease login to create content