08-21-2007 07:31 AM - edited 03-03-2019 06:24 PM
Hi, I have a basic IPsec configuration:RouterA(fa:10.0.0.1/24) and RouterB(10.0.0.2/24). I can ping RouterA from RouterB and vice and versa.
Please find attached RouterA and RouterB show run.
I do 'show crypto ipsec sa' and it sounds like no IPsec tunnel is being generated. What else can I do to troubleshoot this and find out what's wrong? Please find pasted the RouterA and RouterB configuration.
RouterA#show crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: test, local addr. 10.0.0.1
protected vrf:
local ident (addr/mask/prot/port): (150.49.52.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (150.59.59.0/255.255.255.0/0/0)
current_peer: 10.0.0.2:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0
inbound esp sas:
inbound ah sas:
--More--
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
RouterA#shpow ow crypto engine connection active
ID Interface IP-Address State Algorithm Encrypt Decrypt
RouterA#ping 10.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
RouterA#show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L
#
Solved! Go to Solution.
08-21-2007 07:53 AM
Friend,
For the tunnel to come up you should send traffic that is defined as interesting which is access-list 100 in your case.
When you ping to 10.0.0.2, you would be using the serial interface Ip and the packets will not be encryptes
try initating a ping from network 150.49.52.0 and check the results
HTH, rate if it does
Narayan
08-21-2007 07:53 AM
Friend,
For the tunnel to come up you should send traffic that is defined as interesting which is access-list 100 in your case.
When you ping to 10.0.0.2, you would be using the serial interface Ip and the packets will not be encryptes
try initating a ping from network 150.49.52.0 and check the results
HTH, rate if it does
Narayan
08-21-2007 10:36 AM
Ah. Thanks!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: