Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

show crypto isakmp sa empty

I can ping and NAT is working.  I've built the phase 1 and 2, the ACL several times using access-list and ip access-list extended and double-checked both routers.

Other than that, "show crypto isakmp sa" just gives:

"IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status"

And "sh cry ipsec sa peer [ip]" is also returning nothing.

I'm stumped.  Any suggestions?

Here is the new routers vpn config, mirrored/reversed on the other:

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key [key] address [other routers public ip]

crypto ipsec transform-set [name] esp-3des esp-sha-hmac

crypto map [name] 10 ipsec-isakmp

set peer [other routers public ip]

set transform-set [name]

match address [name]

ip access-list extended [name]

permit ip 172.16.31.0 0.0.0.31 192.168.17.0 0.0.0.255

8 REPLIES
New Member

Re: show crypto isakmp sa empty

can you ping the other router?

Sent from Cisco Technical Support iPhone App

New Member

show crypto isakmp sa empty

Yes.  I can ping both routers from each other by their outside interfaces/public IPs.  The existing router is a 2811 and houses 2 working VPN tunnels atm, both working fine.  It is doing NAT just fine too.

The new router is an 1811 and all is good including NAT (I have a laptop hooked to a switch, then the to the 1811 and it NATs good and pings google.com.

I simply cannot get the VPN tunnel to work at all.

Purple

show crypto isakmp sa empty

Hi,

I don't see the crypto map applied to any interface and do you exempt traffic going through the tunnel from being natted?

Alain.

Don't forget to rate helpful posts.
New Member

show crypto isakmp sa empty

Here are the interfaces on the 1811:

interface FastEthernet0

ip address [public ip] 255.255.255.240

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map [name]

!

interface FastEthernet1

ip address 172.16.31.5 255.255.255.224

ip nat inside

ip nat enable

ip virtual-reassembly

duplex auto

speed auto

Here are the access lists and NAT:

ip nat inside source list 110 interface FastEthernet0 overload

!

ip access-list extended [name]

permit ip 172.16.31.0 0.0.0.31 192.168.17.0 0.0.0.255

!

access-list 110 deny   ip 172.16.31.0 0.0.0.31 192.168.17.0 0.0.0.255

access-list 110 permit ip 172.16.31.0 0.0.0.31 any

New Member

show crypto isakmp sa empty

Update:

Before giving that last reply, I had the deny below the permit in access-list 110.  I reversed it, and now I get this with "show crypto isakmp sa":

1811#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

[2811publicip]   [1811publicip]    QM_IDLE           2001    0 ACTIVE

The 2811 shows the reverse.  So good so far, but I'm still not getting a reply with ping from either router or the laptop.

Purple

show crypto isakmp sa empty

Hi,

so phase 1 is ok, that's a great news.

Now what does sh crypto ipsec sa tells?

Can you do a debug crypto ipsec sa while you are doing your ping and tell us what ping you are doing

Alain.

Don't forget to rate helpful posts.
New Member

show crypto isakmp sa empty

Ok, I just now got back on this.  I am now able to ping the 2811's inside int from the 1811 via the tunnel.  I had to redo access-list 110 and put the deny up above the permits:

access-list 110 deny   ip 192.168.17.0 0.0.0.255 172.16.31.0 0.0.0.31

access-list 110 permit ip 192.168.17.0 0.0.0.255 any

access-list 110 permit ip 172.16.8.0 0.0.0.255 any

It was like this:

access-list 110 permit ip 192.168.17.0 0.0.0.255 any

access-list 110 permit ip 172.16.8.0 0.0.0.255 any

access-list 110 deny   ip 192.168.17.0 0.0.0.255 172.16.31.0 0.0.0.31

Once I did that, pinging from the laptop to the 2811's inside int (192.168.17.22) started working, and the 2 routers could ping each other's inside int.

The problem now is that I cannot ping any other IP on the 192.168.17.0/24 network from anything on the 172.16.31.0/31 network.  BUT the opposite way, I can ping the laptop, the router and the switch from the 192.168.17.0/24 side.

I'm sure this is an access-list, but I cannot figure it out.

Any thoughts?

Purple

show crypto isakmp sa empty

Hi,

what does sh crypto ipsec sa tells?

What is working and not working?

what is debug crypto ipsec is telling?

Alain

Don't forget to rate helpful posts.
3341
Views
5
Helpful
8
Replies
CreatePlease login to create content