11-02-2014 07:35 PM - edited 03-03-2019 07:38 AM
Hi, I have a Cisco 2911 for which IPSEC phase 1 is already established but in “sh crypto ipsec sa”, no packet is being seen to be encrypted and decrypted and I cannot ping the remote tunnel interface IP address. Configuration parameters for phase 2 seems to be fine. Can someone advise?
interface: GigabitEthernet0/2
Crypto map tag: IPSec, local addr xxx.xxx.xxx.xxx
protected vrf: (none)
local ident (addr/mask/prot/port): (aaa.aaa.aaa.aaa/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (bbb.bbb.bbb.bbb/255.255.255.255/0/0)
current_peer yyy.yyy.yyy.yyy port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: yyy.yyy.yyy.yyy
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (bbb.bbb.bbb.bbb/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (aaa.aaa.aaa.aaa/255.255.255.255/0/0)
current_peer yyy.yyy.yyy.yyy port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 56746, #pkts encrypt: 56746, #pkts digest: 56746
#pkts decaps: 18228, #pkts decrypt: 18228, #pkts verify: 18228
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: yyy.yyy.yyy.yyy
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2
current outbound spi: 0x56BA8705(1455064837)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x7E97FE24(2123890212)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2103, flow_id: Onboard VPN:103, sibling_flags 80000040, crypto map: IPSec
sa timing: remaining key lifetime (k/sec): (4254266/5052)
IV size: 16 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x56BA8705(1455064837)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2104, flow_id: Onboard VPN:104, sibling_flags 80000040, crypto map: IPSec
sa timing: remaining key lifetime (k/sec): (4252592/5052)
IV size: 16 bytes
replay detection support: Y replay window size: 1024
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
11-03-2014 05:03 PM
I have input a NAT deny entry, performed "clear ip nat tran *" and traffic is passing through now.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: