Problem migrating existing IPSEC l2l VPN from Frame Relay to Internet
I have an existing Central Site ASA terminating 10 l2l VPNs (over Frame Relay) to remote 1841 Routers. This has been working for a number of years.
We now need to migrate those existing VPNs (one at a time) from the original Frame Relay Connection to an Internet connection.
The tunnels come online but only a subset of the IPSEC sa's are working. The VPNs on the original Frame Circuit continue to be fine.
The three VPNs migrated to the Internet connection look fine in the show crypto isakmp sa command.
When I do the show crypto ipsec sa command I see all of the sa entries in the router but only half or so in the ASA. The half that show up in the show crypto ipsec work fine. The ones that do not show up never work and any attempts to access the tunnel only show incrementing send errors at the router end and never appear in the ASA.
I am using the same access-lists from the Frame Connection (that worked well) in the Internet VPN i.e. the match access-list and the nonat access-list. The major difference seems to be the need to run NAT-T in the ASA based on the new Internet access.
I have tried everything I can think of and that I have found on the Internet to no avail. Any ideas??
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :