Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

show crypto isakmp/ipsec sa shows nothing

chan.puilai
Level 1
Level 1

‎02-26-2012 07:26 PM - edited ‎02-21-2020 05:54 PM

Dear All,

I have setup ipsec VPN in my C2811 router but when "show crypto isakmp/ipsec sa" shows nothing.

Remote end point is an "ASA5520".  Does it indicates that the remote ASA5520 not yet configured?

Here are my Router configuration:

crypto isakmp policy 1

encr aes

authentication pre-share

group 2 

lifetime 28800

crypto isakmp key <pre-shared key> address 202.70.53.xx

!        

!        

crypto ipsec transform-set ipsec esp-aes esp-sha-hmac

!        

crypto map cisco 1 ipsec-isakmp

set peer 202.70.53.xx

set transform-set ipsec

match address vpn

!        

!        

!        

!        

interface FastEthernet0/0

description WAN

ip address 202.55.8.zzz 255.255.255.252 secondary

ip address 202.55.8.yy 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex full

speed 100

crypto map cisco

eemee#sh crypto isakmp sa

dst             src             state          conn-id slot status

eemee#sh crypto ipsec sa

interface: FastEthernet0/0

    Crypto map tag: cisco, local addr 202.55.8.yy

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.13.0/255.255.255.0/0/0)

  remote ident (addr/mask/prot/port): (10.17.91.190/255.255.255.255/0/0)

   current_peer 202.70.53.xx port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 202.55.8.yy, remote crypto endpt.: 202.70.53.xx

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Ping to peer is normal:

eemee#ping 202.70.53.xx so 202.55.8.yy

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 202.70.53.1, timeout is 2 seconds:

Packet sent with a source address of 202.55.8.yy

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms

Extended IP access list nat

    10 deny ip 192.168.13.0 0.0.0.255 host 10.17.91.190

    20 permit ip 192.168.13.0 0.0.0.255 any (1356 matches)

Extended IP access list vpn

    10 permit ip 192.168.13.0 0.0.0.255 host 10.17.91.190

4 people had this problem
Labels:
0 Helpful
Who Me Too'd this topic