Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Site to site VPN phase 2 error

Dear All,

we have a site to site VPN with a partner, we need to access three different hosts on the partner's network. The Phase 1 came but there is issue with phase 2 out of three hosts we can only connected with one host others are not connected and they all shared same parameters.

Below is  show ip access list shown matched packet  but connection to hosts were not successful

With show crypto ipsec sa I saw send error and i don't know what might be responsible for it.

Any body who might be wrong please help me out am exhausted.

 access-list

10 permit ip host 4.2.3.1 host 4.2.6.22 (647594 matches)
 20 permit ip host 4.2.3.14 host 4.2.6.64 (47794 matches)
 30 permit ip host 41.2.3.37 host 41.2.6.76 (581720 matches)

show crypto ipsec sa

 local  ident (addr/mask/prot/port): (41.2.3.37/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (4.2.6.76/255.255.255.255/0/0)
   current_peer 4.2.6.24 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 198, #recv errors 0

     local crypto endpt.: 4.2.3.16, remote crypto endpt.: 4.2.6.24
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   local  ident (addr/mask/prot/port): (4.2.3.14/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (4.2.6.64/255.255.255.255/0/0)
   current_peer 4.2.6.24 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 508, #recv errors 0

     local crypto endpt.: 4.2.3.16, remote crypto endpt.: 4.2.6.24
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

 

 

 

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

can you post the config ?

Edit: can you post the config from both sides of the tunnel? If not recheck one more time the configs from both sides

2 REPLIES
Bronze

can you post the config ?

Edit: can you post the config from both sides of the tunnel? If not recheck one more time the configs from both sides

New Member

Thanks for your suggestion.

Thanks for your suggestion. pfs was enabled at the remote site

155
Views
0
Helpful
2
Replies