05-21-2013 08:55 PM - edited 03-04-2019 07:58 PM
Hi,
We have a Cisco 7204 G1 running c7200-advipservicesk9-mz.122-33.SRE7.bin and we're having a lot of difficulties getting a VTI working to a Cisco 2921 with adv. security.
I've ruled out that the 2921 is at fault by successfully establishing a VTI to another 2921 and a 7200 running a different IOS release.
We see the tunnel come up, but when I sent a ping from the 2921 to the 7204 there isn't a reply.
When I look at the results on the 7204 from a 'sh crypto engin connection active', I see the decrypt counters increase, but I don't see the Encrypt counters increase as it's trying to reply to the ping. I'm not sure if this is because there is an issue with the encryption or wheather there might be a more fundemental issue with the router not replying to the pings.
I've tried the following IOS releases (c7200-advipservicesk9-mz.122-33.SRE7 & c7200-advipservicesk9-mz.122-33.SRE6) and they all behave the same way - this makes me think it might be a config issue rather than and IOS bug which is what I first thought.
c7200-advipservicesk9-mz.122-33.SRE7.bin
sh crypto engine connections active
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address
1 Tu10 IPsec 3DES+SHA 0 31 10.5.5.1
2 Tu10 IPsec 3DES+SHA 19 0 10.5.5.1
1001 Tu10 IKE SHA+3DES 0 0 10.5.5.1
Here is a copy of my config on the 7204 - the other end (Cisco 2921) is configured in the same way
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address 192.168.5.1
!
!
crypto ipsec transform-set 3DESSHA esp-3des esp-sha-hmac
!
crypto ipsec profile IPSEC-VPN
set transform-set 3DESSHA
interface Loopback10
ip address 10.5.5.1 255.255.255.255
!
interface Tunnel10
ip address 10.10.10.1 255.255.255.252
tunnel source Loopback10
tunnel mode ipsec ipv4
tunnel destination 192.168.5.1
tunnel protection ipsec profile IPSEC-VPN
Any assistance would be greatly appreciated.
Thanks,
Jonathan.
05-22-2013 08:45 PM
Hi Rick,
I agree with you about the buggy behaviour. I've just changed the IOS to
c7200-advipservicesk9-mz.124-24.T7.bin and the tunnel came up and started working straightaway.
I had tested this before and knew that the tunnels work on that IOS version, but this last test ruled out a config associated issue.
What I wasn't sure of, is if this IOS version needs 'extra' config to make the tunnels work. It doesn't seem to be the case and it's possibly nothing more than a bug - I just find it a bit strange that this occurs across three different revisions of the 12.2.33SRE stream....
I might have to break my design and move the tunnels to another 7200 running a more VTI friendly IOS version.
Thanks for all your assistance.
Jonathan.
05-23-2013 05:47 AM
Jonathan
It is good to know that the problem with the tunnels was related to the version of IOS and not some kind of configuration issue.
Since the uBR7200 is aimed at a very different functionality (cable modem termination) than the 7200 I am not surprised that there are some differences between the 12.2(33) for the uBR7200 and the 12.4(24) for the regular 7200. But you would think that if they added support for VTI in the uBR code that they would have found and fixed the buggy behavior at some point.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide