For the life of me, I can't come up with an answer to this... We have a working vpn tunnel using our old configuration between an 831 and a 2821. The 831 is running IOS v12.4(25d). However, when we try changing the remote configuration with a replacement startup-config, the VPN tunnel never comes up, and in fact, it seems to be failing in isakmp phase 1.
The "new" config is based on a template that we've used at nearly 200 stores with no problems at all. These templates give us identical configs on all our 831s, with the exception of site names and IP addresses. The configs are using gre tunnels and ipsec in transport mode. We've replaced the 831, and tried building new configs from the template, but it never works. Again, the VPN tunnel comes up using the "old configuration," while we get "Tunnel100 up down" with the new configs.
The isakmp settings match, and I've checked the keys (however it never even gets to the key exchange.) If anyone can give me a hint on where to start from some debug logs, I'd REALLY appreciate it. The system only seems to get as far as MM_NO_STATE, though there are a few IPSEC attempts too.
Here is some output from the C831, with "debug crypt isakmp" and "debug crypt ipsec" There are 2 tunnels, 1 to our main site (208.XXX.76,XXX), one to our DR site (208.XXX.78.XXX), and the remote site is 207.XXX.125.XXX.
03:16:51: ISAKMP:(0:0:N/A:0): SA request profile is (NULL)
03:16:51: ISAKMP: Created a peer struct for 208.XXX.176.XXX, peer port 500
03:16:51: ISAKMP: New peer created peer = 0x81D39808 peer_handle = 0x8000018B
03:16:51: ISAKMP: Locking peer struct 0x81D39808, IKE refcount 1 for isakmp_initiator
03:16:51: ISAKMP: local port 500, remote port 500
03:16:51: ISAKMP: set new node 0 to QM_IDLE
03:16:51: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8240619C
03:16:51: ISAKMP:(0:0:N/A:0):Can not start Aggressive mode, trying Main mode.
From the debug, it just looks like the initial transfers for ISAKMP simply aren't happening. So, I thought I'd give a new config one more try...
Although we had used multiple config templates, and a couple of replacement 831s, it just never would come up. I suspected that it had something to do with notepad and how it was substituting values into the template. As I said, there are over 200 of these 831s running happily, having used the template method of configuration, but this time rather than copying values from a file holding configuration information, I copied the information I needed directly from the running router (using the old config) into the template.
And this time, the tunnels magically came up.
Had there been a "fat finger" moment where a non-printable character was embedded in the config, I couldn't see it using a binary compare. Plus, even though the tunnels were down, I was still able to get into the public IP address on the 831 using the new config.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :