Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

site to site VPN problem.

HI every one. I have some problem on site-to-site VPN. Here is the Diagram.HQ using PIX 516E. Branches using Cisco 1721 router.


User at Branches always complain that unable to use resources at HQ1 through VPN. But able to use resources at HQ2. So when I login to Branches router, I noticed as below

TN_Butterworth#show cry isa sa
dst             src                           state                 conn-id slot status  QM_IDLE            221    0 ACTIVE  MM_NO_STATE  220    0 ACTIVE (deleted) QM_IDLE              1      0 ACTIVE                          <------ VPN to HQ2 seems fine. Branch IP is  QM_IDLE            222    0 ACTIVE  MM_NO_STATE  219    0 ACTIVE (deleted)

VPN to HQ1 keep dropping. I noticed in Cisco Web, MM_NO_STATE, means configuration doesn't match at phase 1. But there is QM_IDLE state also for VPN to HQ1. What does this realy mean? If configuration mismatch, the VPN totaly unable to establish right? But why some shows establish and some not? And the connection ID keeps increasing means the SA keeps deleted and recreate again. Sometime I can ping HQ1 LAN and some time can't. Why is it so many entries in ISAKMP SA table for in branch router for VPN to HQ1? Does this means related to Hardware issue at HQ1 PIX?

Regards, Nagis
Cisco Employee

Re: site to site VPN problem.

the vpn with H1Q 1 is flapping

do you see this on all the spokes or only one spoke

also do you have any other tunnel terminating on HQ 1 other than these spokes which are also flapping

how are the HQ 1 and HQ 2 different (hardware, software configuration)

if possible paste the output of config on both the HQ's

Community Member

Re: site to site VPN problem.

Hi Jathaval,

I have about 7 branches with same design as above. All branches having same problem VPN to HQ1.I have attached HQ1 PIX show run and Branch Show run file. HQ1 and HQ2 are using same device PIX516E with similar configuration. Both PIX are sitting behind a Loadbalancer, so their external IP is Private IP.

Regards, Nagis
Cisco Employee

Re: site to site VPN problem.

i assume this is the crypto map you are using

crypto map Butterworth 1

i see 2 peers which is hq 1 is it the first one???

also i see u have deny statement in crypto acl - i am not sure why you need that

now coming to PIX

crypto map outside_map 27 match address outside_cryptomap_27
crypto map outside_map 27 set peer
crypto map outside_map 27 set peer

what is is the 218 ip i see 219 is the router, just curious to understand your setup

Community Member

Re: site to site VPN problem.


In branch router,

The two set peer IP is because HQ1 having two ISP. Once branch router lost connection to peer 1, it will failover to peer 2. Thats same goes to PIX configuration. The Deny statement is just nothing. equal to implicit deny.

Regards, Nagis
Cisco Employee

Re: site to site VPN problem.

please enable conditional debugs on both firewall HQ1 and router and paste them

debug crypto condition peer ipv4

debug crypto isa sa

debug crypto ips sa

on firewall

i am not sure if your code supports conditional debugs but still try the debugs, the syntax might be little different

CreatePlease to create content