Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TED show crypto isakmp sa strange output

i configured site-to-site vpn using TED betwen branches & HQ , when i access the branch the router & make show crypto isakmp sa , i find the following strange output:

Branch#sh cry is sa

dst src state conn-id slot status

10.20.112.1 10.26.50.254 QM_IDLE 2 0 ACTIVE

10.20.100.220 10.26.10.200 PEER_DISCOVERY 0 0 ACTIVE

10.20.100.220 10.26.10.200 PEER_DISCOVERY 0 0 ACTIVE

10.20.100.220 10.26.10.200 PEER_DISCOVERY 0 0 ACTIVE

10.20.100.220 10.26.10.200 MM_NO_STATE 0 0 ACTIVE (deleted)

10.20.100.220 10.26.10.200 MM_NO_STATE 0 0 ACTIVE (deleted)

10.20.100.221 10.26.10.250 PEER_DISCOVERY 0 0 ACTIVE

10.20.100.221 10.26.10.250 PEER_DISCOVERY 0 0 ACTIVE

10.20.100.221 10.26.10.250 MM_NO_STATE 0 0 ACTIVE (deleted)

10.20.100.221 10.26.10.250 MM_NO_STATE 0 0 ACTIVE (deleted)

10.20.100.15 10.26.10.230 PEER_DISCOVERY 0 0 ACTIVE

10.20.100.15 10.26.10.230 MM_NO_STATE 0 0 ACTIVE (deleted)

10.20.100.15 10.26.10.230 MM_NO_STATE 0 0 ACTIVE (deleted)

the branch vpn configuration is :

crypto isakmp policy 10

authentication pre-share

crypto isakmp key ****** address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set my-transform esp-3des esp-md5-hmac

!

crypto dynamic-map dyn-map 10

set transform-set my-transform

match address VPN-Traffic

!

!

crypto map vpn local-address Loopback1

crypto map vpn 10 ipsec-isakmp dynamic dyn-map discover

!

!

!

!

interface Loopback1

ip address 10.26.50.254 255.255.255.0

interface Serial0/0/0.1 point-to-point

ip address 192.168.10.50 255.255.255.252

ip access-group TUB out

frame-relay interface-dlci 16

crypto map vpn

!

!

interface Serial0/0/1.1 point-to-point

ip address 192.168.20.50 255.255.255.252

ip access-group TUB out

frame-relay interface-dlci 50

crypto map vpn

ip access-list extended VPN-Traffic

permit ip 10.26.10.0 0.0.0.255 10.20.100.0 0.0.0.255

permit ip 10.26.10.0 0.0.0.255 10.20.200.0 0.0.0.255

permit ip 10.26.10.0 0.0.0.255 10.20.150.0 0.0.0.255

permit ip 10.26.10.0 0.0.0.255 10.20.30.0 0.0.0.255

it should give me only :

branch#sh cry is sa

dst src state conn-id slot status

10.20.112.1 10.26.50.254 QM_IDLE 2 0 ACTIVE

so is this a bug in the branch router IOS

version used is :

c2800nm-advipservicesk9-mz.124-3g.bin

231
Views
0
Helpful
0
Replies
CreatePlease login to create content