10-08-2008 05:34 AM - edited 03-09-2019 09:38 PM
Hi all,
I've checked and double-checked everything. This is a duplicate (ip and ACLs changed to protect the innocent) of another situation which works fine. But this one does not.
I can't get any debug info on the 2821 side (?) but right-now I'm concerned that when I do try and bring it up from the ASA it appears in "sh cryp isa sa" as type: user (with State: MM_WAIT_MSG2) in stead of type: L2L
The packet-tracer on the ASA falls down at:
Phase: 9
Type: VPN
Subtype: encrypt
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x4a38e38, priority=70, domain=encrypt, deny=false
hits=2, user_data=0x0, cs_id=0x4bbabd0, reverse, flags=0x0, protocol=0
src ip=10.180.0.0, mask=255.255.192.0, port=0
dst ip=10.180.67.0, mask=255.255.255.0, port=0
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Here is some config - I can definitely send through more if it helps to help me. Below is a bit.
crypto map VPN 40 match address CRYPTO-LONDON
crypto map VPN 40 set peer ip.ip.ip.ip
crypto map VPN 40 set transform-set ESP-AES-256-SHA
tunnel-group ip.ip.ip.ip type ipsec-l2l
tunnel-group ip.ip.ip.ip ipsec-attributes
pre-shared-key *
Really, really appreciate any help.
Regards,
Mike
10-08-2008 06:39 PM
Don't worry ... I'm just over tired and even though I checked and double-checked everything, after a night's sleep ... Yes I DID make a stupid config error on the 2821 IOS
I'll close this.
05-20-2021 02:17 AM - edited 05-20-2021 02:17 AM
What is your config error on your router? I also encountered this issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide