Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec with HSRP

Hi Guys,

I'm trying to setup IPSec with HSRP but I'm having some problems.

I have a single router TEST_R3 acting as a client on an unknown IP address.

I have 2 routers TEST_R0 and TEST_R1 acting as end points, both configured with a HSRP group called REDUNDANT2.

TEST_R1 is the active router (TEST_R0 is actually switched off). The standby IP is

The client, TEST_R3 is configured to peer with the HSRP IP address.

When TEST_R3 attempts connectivity I receive the following error on TEST_R1:

*Mar 1 01:04:38.451: map_db_find_best did not find matching map

*Mar 1 01:04:38.455: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address

*Mar 1 01:04:38.467: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Quick mode failed with peer at

It says something about invalid transform sets yet I assure you there are valid matching sets configured on each end. So I suppose my question is, what is this error trying to tell me?

I've attached relevant config for each device.



New Member

Re: IPSec with HSRP

Sorry guys, screwed up on those attachments. The file name depicts the correct device. So file 1 is R3, file 2 is R1

New Member

Re: IPSec with HSRP

Just bumping this up.

If my setup is hard to understand, I can post the GNS3 .net file, or preferably, someone could post me their working setup with configs and leave me to figure it out from there.



Re: IPSec with HSRP

Have you tried removing the crypto map from the interface, and clearing all the crypto states "clear crypto sa" "clear crypto isakmp" then applying the crypto map again?

I remember I had this issue long ago, and I think it was an issue with the hsrp configuration, can remember what exactly, so try to go over the configuraiton again.

New Member

Re: IPSec with HSRP

Thanks Ivan. I've give nthat a go but no luck unfortunately. I've found some more examples just now that have slightly diffrerent config. I'll try them when I get home. Let you know what I find.




CreatePlease login to create content