Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
293
Views
0
Helpful
1
Replies

Unable to Ping VPN Tunnel Interfaces

soonli.lim
Level 1
Level 1

‎11-02-2014 07:35 PM - edited ‎03-03-2019 07:38 AM

Hi, I have a Cisco 2911 for which IPSEC phase 1 is already established but in “sh crypto ipsec sa”, no packet is being seen to be encrypted and decrypted and I cannot ping the remote tunnel interface IP address. Configuration parameters for phase 2 seems to be fine. Can someone advise?

interface: GigabitEthernet0/2
    Crypto map tag: IPSec, local addr xxx.xxx.xxx.xxx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (aaa.aaa.aaa.aaa/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (bbb.bbb.bbb.bbb/255.255.255.255/0/0)
   current_peer yyy.yyy.yyy.yyy port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: yyy.yyy.yyy.yyy
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (bbb.bbb.bbb.bbb/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (aaa.aaa.aaa.aaa/255.255.255.255/0/0)
   current_peer yyy.yyy.yyy.yyy port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 56746, #pkts encrypt: 56746, #pkts digest: 56746
    #pkts decaps: 18228, #pkts decrypt: 18228, #pkts verify: 18228
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: xxx.xxx.xxx.xxx, remote crypto endpt.: yyy.yyy.yyy.yyy
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2
     current outbound spi: 0x56BA8705(1455064837)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0x7E97FE24(2123890212)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2103, flow_id: Onboard VPN:103, sibling_flags 80000040, crypto map: IPSec
        sa timing: remaining key lifetime (k/sec): (4254266/5052)
        IV size: 16 bytes
        replay detection support: Y  replay window size: 1024
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x56BA8705(1455064837)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2104, flow_id: Onboard VPN:104, sibling_flags 80000040, crypto map: IPSec
        sa timing: remaining key lifetime (k/sec): (4252592/5052)
        IV size: 16 bytes
        replay detection support: Y  replay window size: 1024
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

 

Labels:
0 Helpful
1 Reply 1

soonli.lim
Level 1
Level 1

‎11-03-2014 05:03 PM

I have input a NAT deny entry, performed "clear ip nat tran *" and traffic is passing through now.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents