I have a router 3845 running NAT as well site-to-site vpn to singapore concentrator. The E0 from my router is connected to my core switch where my LAN subnets are 172.22.195.0/24; 172.22.192.128/26 and 172.22.200.0/21. Now i can see the tunnel is up and route to the remote peer. now my problem is only 172.22.195.0/24 (vlan for servers) and 172.22.192.128/26 (vlan for switch management) can access the host in singapore, the 172.22.200.0/21 subnets from my lan has a request time out or no access at all to singapore. i'll attached my config here.
My knowledge was set into that .200 subnets is already part of the 172.22.192.0 0.0.15.255 definition in the cyrpto ACL(in short summarized network). i also tried to break them down in per subnets and it works fine (meaning all of my subnets was able to access the remote LAN subnets of vpn concentrator including the .200 ; .193 and others.) however as the 4 hours past the the .200 and .193 subnets were getting request timeout and what has been consistent is the .195 and .192 subnets to access the remote LAN. do you have any idea on this issue?
I really appreaciate any idea to resolve this issue.
Yes i did, however it gave me the same issue. Just a while ago, when i tried to run clear crypto session on the router, then the .200 subnets works but whent i recieved the error below that is the time it failed. Then i keep on repeating clearing the crypto session for .200 works.
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has in
valid spi for destaddr=220.127.116.11, prot=50, spi=0x33B49ACE(867474126), srcadd
%CRYPTO-4-IKMP_NO_SA: IKE message from C.C.C.178 has no SA and is not an initialization offer
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...