Thanks for the reply Rick, but I don't think I explained it well enough.  There is a Host site and a DR site.  The remote site has a tunnel to each location.  I have about 50 sites setup this way but this one site I am having a problem with.  I am looking for some help trying to determine the problem with the configuration.  The configuration for the two tunnels looks the same (besides the different IP addresses)  however when I do a show crypto isakmp sa it shows the tunnel as MM_No_STATE

When I do a show crypto ipsec sa it has send errors.   A long time ago I remember finding a troubleshooting guide for this but I can't seem to find it anymore.

Thanks agin.

Thanks for the clarification. Clearly I did not correctly understand the environment. Do all 50 siltes have two tunnels or is it only this one? Can you post the config from the router having the problem (disguising public addresses etc)? Perhaps that will help us identify the problem.

HTH

Rick

Thanks for your help I figured out today that the DSL modem provided by the vendor has a firewall feature turned on that was blocking the traffic.  After that was removed the tunnel came up fine.  

I am glad that you have solved the issue. Thank you for posting back to the forum to let us know that it is solved and what the problem turned out to be.

HTH

Rick

configuration

Host end that isn't working

crypto isakmp key XXX address XXXX

crypto isakmp policy XXX
 hash md5
 authentication pre-share
 lifetime 86340

crypto map Stuff 10 ipsec-isakmp
  set peer Y.Y.Y.Y
 set transform-set overall
 match address overview

crypto ipsec transform-set overall esp-des esp-md5-hmac

interface Tunnel27
  ip address
 ip mtu 1350
 ip tcp adjust-mss 1294
 tunnel source
 tunnel destination
 crypto map XXX

ip access-list extended XXX
 permit gre host XXX host XXXX

Remote that isn't working:

crypto isakmp policy

hash md5
 authentication pre-share
crypto isakmp key XXX address XXx

crypto ipsec transform-set XXX esp-des esp-md5-hmac

crypto map XX 175 ipsec-isakmp
 set peer 
  set transform-set XXX
 match address 105

interface Tunnel0
  ip address 
 ip mtu 1350
 no ip route-cache cef
 ip tcp adjust-mss 1294
 tunnel source GigabitEthernet0/0
 tunnel destination 
 crypto map XXX

access-list 105 permit gre host xxx host

All of the other sites have this same configuration, for some reason this site doesn't work.  The ACL is getting hits so I know the requests are coming.  I have tried a couple debugs but not see anything specific.

Thanks for the additional information. There are several things that stand out to me as I review what you posted.

- first (and perhaps most important) the remote config that you post has only a single tunnel. I thought that you said that the remote has two tunnels.

- second (and sort of important) you show the crypto map as being applied on the tunnel interface on both routers. The standard for crypto map changed a long time ago to have the crypto map applied on the physical interface and not on the tunnel. Unless you are running really old code this is a problem.

HTH

Rick

When I said host end that isn't working and remote end that isn't working I meant the tunnels so I didn't include the working tunnels.  Also I do have that command on the physical interface also I just didn't copy it in.

You insist on obfuscating things that have no significance, such as the isakmp policy number and the crypto map name and the transform name. And you give us minute pieces of the config that you determine should be significant but not the other parts that might interact. I hope that you find someone else who believes that they can figure out the issue based on the very limited information you choose to supply. But I am done with this thread and your unwillingness to provide the significant information that might allow us to identify your problem.

HTH

Rick