Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Problem migrating existing IPSEC l2l VPN from Frame Relay to Internet

I have an existing Central Site ASA terminating 10 l2l VPNs (over Frame Relay) to remote 1841 Routers. This has been working for a number of years.

We now need to migrate those existing VPNs (one at a time) from the original Frame Relay Connection to an Internet connection.

The tunnels come online but only a subset of the IPSEC sa's are working. The VPNs on the original Frame Circuit continue to be fine.

The three VPNs migrated to the Internet connection look fine in the show crypto isakmp sa command.

When I do the show crypto ipsec sa command I see all of the sa entries in the router but only half or so in the ASA. The half that show up in the show crypto ipsec work fine. The ones that do not show up never work and any attempts to access the tunnel only show incrementing send errors at the router end and never appear in the ASA.

I am using the same access-lists from the Frame Connection (that worked well) in the Internet VPN i.e. the match access-list and the nonat access-list. The major difference seems to be the need to run NAT-T in the ASA based on the new Internet access.

I have tried everything I can think of and that I have found on the Internet to no avail. Any ideas??


Everyone's tags (1)

Hi Bill,Could you please

Hi Bill,

Could you please share the configurations (hashed out with the IP information) related to the tunnel which has the phase 2 problem???


Also show crypto ipsec sa <peer ip> output as well ....

We will definitely try to solve your issue with those tunnels..... Thanks






New Member

Thanks very much for the

Thanks very much for the response......


I have attached the files you asked for.


Thanks again


CreatePlease to create content