- Cisco Community
- Technology and Support
- Networking
- Routing
- DMVPN dua HUB issue, one tunnel doesnt work
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-04-2013 05:46 PM - edited 03-04-2019 09:29 PM
Hi all,
I have an issue with a Dual DMVPN scenario.
I have 2 Hubs and multiples spokes, each spoke has 2 tunnels one to each HUB.
I am having issues with a spoke but only with one tunnel:
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up down
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 80.188.29.210 YES NVRAM up up
Tunnel1 10.24.170.58 YES NVRAM up up
Tunnel2 10.32.170.58 YES NVRAM up up
Vlan1 10.24.141.3 YES NVRAM up up
czprab01#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
80.188.29.210 216.40.52.7 QM_IDLE 2113 ACTIVE <-------------- Tunnel 1 (working)
216.40.48.53 80.188.29.210 MM_KEY_EXCH 2780 ACTIVE
216.40.48.53 80.188.29.210 MM_KEY_EXCH 2779 ACTIVE
216.40.48.53 80.188.29.210 MM_NO_STATE 2778 ACTIVE (deleted)
216.40.48.53 80.188.29.210 MM_NO_STATE 2777 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
czprab01#sh crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 80.188.29.210
protected vrf: (none)
local ident (addr/mask/prot/port): (80.188.29.210/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (216.40.52.7/255.255.255.255/47/0)
current_peer 216.40.52.7 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3955556, #pkts encrypt: 3955556, #pkts digest: 3955556
#pkts decaps: 4334117, #pkts decrypt: 4334117, #pkts verify: 4334117
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 1618
local crypto endpt.: 80.188.29.210, remote crypto endpt.: 216.40.52.7
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x209DAC2C(547204140)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x45E07928(1172338984)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 39, flow_id: Onboard VPN:39, sibling_flags 80000006, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4459162/777)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x209DAC2C(547204140)
transform: esp-3des esp-md5-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 40, flow_id: Onboard VPN:40, sibling_flags 80000006, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4461679/777)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 80.188.29.210
protected vrf: (none)
local ident (addr/mask/prot/port): (80.188.29.210/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (216.40.48.53/255.255.255.255/47/0)
current_peer 216.40.48.53 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 266, #recv errors 0
local crypto endpt.: 80.188.29.210, remote crypto endpt.: 216.40.48.53
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
DEBUG on the spoke:
czprab01#sh debugging
czprab01#sh debugging
Cryptographic Subsystem:
Crypto ISAKMP Error debugging is on
Crypto IPSEC Error debugging is on
czprab01#
*Nov 5 02:38:24 Winter: insert of map into mapdb AVL failed, map + ace pair already exists on the mapdb
czprab01#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
80.188.29.210 216.40.52.7 QM_IDLE 2113 ACTIVE
216.40.48.53 80.188.29.210 MM_KEY_EXCH 2787 ACTIVE
216.40.48.53 80.188.29.210 MM_KEY_EXCH 2786 ACTIVE
*Nov 5 02:39:24 Winter: ISAKMP:(2786):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)
*Nov 5 02:39:24 Winter: ISAKMP:(2786):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)
*Nov 5 02:39:54 Winter: ISAKMP:(2787):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)
*Nov 5 02:39:54 Winter: ISAKMP:(2787):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)
*Nov 5 02:40:28 Winter: ISAKMP:(2788):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)
*Nov 5 02:40:28 Winter: ISAKMP:(2788):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)
*Nov 5 02:40:54 Winter: ISAKMP:(2789):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)
*Nov 5 02:40:54 Winter: ISAKMP:(2789):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)
*Nov 5 02:41:24 Winter: ISAKMP:(2790):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)
*Nov 5 02:41:24 Winter: ISAKMP:(2790):deleting SA reason "Death by retransmission P1" state (I) MM_KEY_EXCH (peer 216.40.48.53)
configuration of the tunnels:
czprab01#sh runn int tunn1
Building configuration...
Current configuration : 405 bytes
!
interface Tunnel1
bandwidth 1000
ip address 10.24.170.58 255.255.255.0
ip mtu 1352
ip flow ingress
ip nhrp authentication donttell
ip nhrp map 10.24.170.1 216.40.52.7
ip nhrp network-id 169
ip nhrp holdtime 300
ip nhrp nhs 10.24.170.1
ip tcp adjust-mss 1200
delay 1000
tunnel source FastEthernet4
tunnel destination 216.40.52.7
tunnel key 100000
tunnel protection ipsec profile CHEP
end
czprab01#sh runn int tunn2
Building configuration...
Current configuration : 406 bytes
!
interface Tunnel2
bandwidth 256
ip address 10.32.170.58 255.255.255.0
ip mtu 1352
ip flow ingress
ip nhrp authentication donttell
ip nhrp map 10.32.170.1 216.40.48.53
ip nhrp network-id 170
ip nhrp holdtime 300
ip nhrp nhs 10.32.170.1
ip tcp adjust-mss 1200
delay 1500
tunnel source FastEthernet4
tunnel destination 216.40.48.53
tunnel key 100001
tunnel protection ipsec profile CHEP
end
I tried to shut down the tunnel2 for a while but no luck
I did clear crypto sa peer XXXX and no luck
any suggestion please?
THANK YOU
Solved! Go to Solution.
- Labels:
-
Routing Protocols
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-05-2013 08:23 PM
https://supportforums.cisco.com/thread/256417
please take a look at the above..
Regards
Vinayak
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-05-2013 08:23 PM
https://supportforums.cisco.com/thread/256417
please take a look at the above..
Regards
Vinayak
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2013 08:41 AM
Hello, Omar.
Please provide output for "debug crypto isakmp" and " sh ip route 216.40.48.53"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2013 04:41 PM
This is the output of the debugÑ
czprab01#
*Nov 7 01:32:53 Winter: %SYS-5-CONFIG_I: Configured from console by netman on vty0 (10.32.1.22)
*Nov 7 01:32:55 Winter: %LINK-3-UPDOWN: Interface Tunnel2, changed state to up
*Nov 7 01:32:55 Winter: ISAKMP:(0): SA request profile is (NULL)
*Nov 7 01:32:55 Winter: ISAKMP: Created a peer struct for 216.40.48.53, peer port 500
*Nov 7 01:32:55 Winter: ISAKMP: New peer created peer = 0x84F1B738 peer_handle = 0x80000D08
*Nov 7 01:32:55 Winter: ISAKMP: Locking peer struct 0x84F1B738, refcount 1 for isakmp_initiator
*Nov 7 01:32:55 Winter: ISAKMP: local port 500, remote port 500
*Nov 7 01:32:55 Winter: ISAKMP: set new node 0 to QM_IDLE
*Nov 7 01:32:55 Winter: ISAKMP:(0):insert sa successfully sa = 84F2BDD4
*Nov 7 01:32:55 Winter: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Nov 7 01:32:55 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53
*Nov 7 01:32:55 Winter: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Nov 7 01:32:55 Winter: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Nov 7 01:32:55 Winter: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Nov 7 01:32:55 Winter: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Nov 7 01:32:55 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Nov 7 01:32:55 Winter: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Nov 7 01:32:55 Winter: ISAKMP:(0): beginning Main Mode exchange
*Nov 7 01:32:55 Winter: ISAKMP:(0): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_NO_STATE
*Nov 7 01:32:55 Winter: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 7 01:32:55 Winter: ISAKMP (0): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 7 01:32:55 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 7 01:32:55 Winter: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Nov 7 01:32:55 Winter: ISAKMP:(0): processing SA payload. message ID = 0
*Nov 7 01:32:55 Winter: ISAKMP:(0): processing vendor id payload
*Nov 7 01:32:55 Winter: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Nov 7 01:32:55 Winter: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Nov 7 01:32:55 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53
*Nov 7 01:32:55 Winter: ISAKMP:(0): local preshared key found
*Nov 7 01:32:55 Winter: ISAKMP : Scanning profiles for xauth ...
*Nov 7 01:32:55 Winter: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Nov 7 01:32:55 Winter: ISAKMP: encryption 3DES-CBC
*Nov 7 01:32:55 Winter: ISAKMP: hash MD5
*Nov 7 01:32:55 Winter: ISAKMP: default group 1
*Nov 7 01:32:55 Winter: ISAKMP: auth pre-share
*Nov 7 01:32:55 Winter: ISAKMP: life type in seconds
*Nov 7 01:32:55 Winter: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Nov 7 01:32:55 Winter: ISAKMP:(0):atts are acceptable. Next payload is 0
*Nov 7 01:32:55 Winter: ISAKMP:(0):Acceptable atts:actual life: 0
*Nov 7 01:32:55 Winter: ISAKMP:(0):Acceptable atts:life: 0
*Nov 7 01:32:55 Winter: ISAKMP:(0):Fill atts in sa vpi_length:4
*Nov 7 01:32:55 Winter: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Nov 7 01:32:55 Winter: ISAKMP:(0):Returning Actual lifetime: 86400
*Nov 7 01:32:55 Winter: ISAKMP:(0)::Started lifetime timer: 86400.
*Nov 7 01:32:55 Winter: ISAKMP:(0): processing vendor id payload
*Nov 7 01:32:55 Winter: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Nov 7 01:32:55 Winter: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Nov 7 01:32:55 Winter: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 7 01:32:55 Winter: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Nov 7 01:32:55 Winter: ISAKMP:(0): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Nov 7 01:32:55 Winter: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 7 01:32:55 Winter: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 7 01:32:55 Winter: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Nov 7 01:32:55 Winter: ISAKMP (0): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_SA_SETUP
*Nov 7 01:32:55 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 7 01:32:55 Winter: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Nov 7 01:32:55 Winter: ISAKMP:(0): processing KE payload. message ID = 0
*Nov 7 01:32:55 Winter: ISAKMP:(0): processing NONCE payload. message ID = 0
*Nov 7 01:32:55 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53
*Nov 7 01:32:55 Winter: ISAKMP:(2308): processing vendor id payload
*Nov 7 01:32:55 Winter: ISAKMP:(2308): vendor ID is Unity
*Nov 7 01:32:55 Winter: ISAKMP:(2308): processing vendor id payload
*Nov 7 01:32:55 Winter: ISAKMP:(2308): vendor ID is DPD
*Nov 7 01:32:55 Winter: ISAKMP:(2308): processing vendor id payload
*Nov 7 01:32:55 Winter: ISAKMP:(2308): speaking to another IOS box!
*Nov 7 01:32:55 Winter: ISAKMP:received payload type 20
*Nov 7 01:32:55 Winter: ISAKMP (2308): His hash no match - this node outside NAT
*Nov 7 01:32:55 Winter: ISAKMP:received payload type 20
*Nov 7 01:32:55 Winter: ISAKMP (2308): His hash no match - this node outside NAT
*Nov 7 01:32:55 Winter: ISAKMP:(2308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 7 01:32:55 Winter: ISAKMP:(2308):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Nov 7 01:32:55 Winter: ISAKMP:(2308):Send initial contact
*Nov 7 01:32:55 Winter: ISAKMP:(2308):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Nov 7 01:32:55 Winter: ISAKMP (2308): ID payload
next-payload : 8
type : 1
address : 80.188.29.210
protocol : 17
port : 0
length : 12
*Nov 7 01:32:55 Winter: ISAKMP:(2308):Total payload length: 12
*Nov 7 01:32:55 Winter: ISAKMP:(2308): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Nov 7 01:32:55 Winter: ISAKMP:(2308):Sending an IKE IPv4 Packet.
*Nov 7 01:32:55 Winter: ISAKMP:(2308):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 7 01:32:55 Winter: ISAKMP:(2308):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Nov 7 01:32:56 Winter: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up
czprab01#
czprab01#
*Nov 7 01:33:05 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH...
*Nov 7 01:33:05 Winter: ISAKMP (2308): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Nov 7 01:33:05 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH
*Nov 7 01:33:05 Winter: ISAKMP:(2308): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Nov 7 01:33:05 Winter: ISAKMP:(2308):Sending an IKE IPv4 Packet.
*Nov 7 01:33:15 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH...
*Nov 7 01:33:15 Winter: ISAKMP (2308): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Nov 7 01:33:15 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH
*Nov 7 01:33:15 Winter: ISAKMP:(2308): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Nov 7 01:33:15 Winter: ISAKMP:(2308):Sending an IKE IPv4 Packet.
czprab01#
czprab01#
czprab01#
czprab01#
*Nov 7 01:33:25 Winter: ISAKMP:(0): SA request profile is (NULL)
*Nov 7 01:33:25 Winter: ISAKMP: Created a peer struct for 216.40.48.53, peer port 500
*Nov 7 01:33:25 Winter: ISAKMP: New peer created peer = 0x838FB5D8 peer_handle = 0x80000D0F
*Nov 7 01:33:25 Winter: ISAKMP: Locking peer struct 0x838FB5D8, refcount 1 for isakmp_initiator
*Nov 7 01:33:25 Winter: ISAKMP: local port 500, remote port 500
*Nov 7 01:33:25 Winter: ISAKMP: set new node 0 to QM_IDLE
*Nov 7 01:33:25 Winter: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 8390F81C
*Nov 7 01:33:25 Winter: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Nov 7 01:33:25 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53
*Nov 7 01:33:25 Winter: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
*Nov 7 01:33:25 Winter: ISAKMP:(0): constructed NAT-T vendor-07 ID
*Nov 7 01:33:25 Winter: ISAKMP:(0): constructed NAT-T vendor-03 ID
*Nov 7 01:33:25 Winter: ISAKMP:(0): constructed NAT-T vendor-02 ID
*Nov 7 01:33:25 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Nov 7 01:33:25 Winter: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Nov 7 01:33:25 Winter: ISAKMP:(0): beginning Main Mode exchange
*Nov 7 01:33:25 Winter: ISAKMP:(0): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_NO_STATE
*Nov 7 01:33:25 Winter: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 7 01:33:25 Winter: ISAKMP (0): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 7 01:33:25 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 7 01:33:25 Winter: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Nov 7 01:33:25 Winter: ISAKMP:(0): processing SA payload. message ID = 0
*Nov 7 01:33:25 Winter: ISAKMP:(0): processing vendor id payload
*Nov 7 01:33:25 Winter: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Nov 7 01:33:25 Winter: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Nov 7 01:33:25 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53
*Nov 7 01:33:25 Winter: ISAKMP:(0): local preshared key found
*Nov 7 01:33:25 Winter: ISAKMP : Scanning profiles for xauth ...
*Nov 7 01:33:25 Winter: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Nov 7 01:33:25 Winter: ISAKMP: encryption 3DES-CBC
*Nov 7 01:33:25 Winter: ISAKMP: hash MD5
*Nov 7 01:33:25 Winter: ISAKMP: default group 1
*Nov 7 01:33:25 Winter: ISAKMP: auth pre-share
*Nov 7 01:33:25 Winter: ISAKMP: life type in seconds
*Nov 7 01:33:25 Winter: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Nov 7 01:33:25 Winter: ISAKMP:(0):atts are acceptable. Next payload is 0
*Nov 7 01:33:25 Winter: ISAKMP:(0):Acceptable atts:actual life: 0
*Nov 7 01:33:25 Winter: ISAKMP:(0):Acceptable atts:life: 0
*Nov 7 01:33:25 Winter: ISAKMP:(0):Fill atts in sa vpi_length:4
*Nov 7 01:33:25 Winter: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Nov 7 01:33:25 Winter: ISAKMP:(0):Returning Actual lifetime: 86400
*Nov 7 01:33:25 Winter: ISAKMP:(0)::Started lifetime timer: 86400.
*Nov 7 01:33:25 Winter: ISAKMP:(0): processing vendor id payload
*Nov 7 01:33:25 Winter: ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
*Nov 7 01:33:25 Winter: ISAKMP (0): vendor ID is NAT-T RFC 3947
*Nov 7 01:33:25 Winter: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 7 01:33:25 Winter: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Nov 7 01:33:25 Winter: ISAKMP:(0): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Nov 7 01:33:25 Winter: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 7 01:33:25 Winter: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 7 01:33:25 Winter: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Nov 7 01:33:25 Winter: ISAKMP (0): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_SA_SETUP
*Nov 7 01:33:25 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 7 01:33:25 Winter: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Nov 7 01:33:25 Winter: ISAKMP:(0): processing KE payload. message ID = 0
*Nov 7 01:33:25 Winter: ISAKMP:(0): processing NONCE payload. message ID = 0
*Nov 7 01:33:25 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53
*Nov 7 01:33:25 Winter: ISAKMP:(2309): processing vendor id payload
*Nov 7 01:33:25 Winter: ISAKMP:(2309): vendor ID is Unity
*Nov 7 01:33:25 Winter: ISAKMP:(2309): processing vendor id payload
*Nov 7 01:33:25 Winter: ISAKMP:(2309): vendor ID is DPD
*Nov 7 01:33:25 Winter: ISAKMP:(2309): processing vendor id payload
*Nov 7 01:33:25 Winter: ISAKMP:(2309): speaking to another IOS box!
*Nov 7 01:33:25 Winter: ISAKMP:received payload type 20
*Nov 7 01:33:25 Winter: ISAKMP (2309): His hash no match - this node outside NAT
*Nov 7 01:33:25 Winter: ISAKMP:received payload type 20
*Nov 7 01:33:25 Winter: ISAKMP (2309): His hash no match - this node outside NAT
*Nov 7 01:33:25 Winter: ISAKMP:(2309):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 7 01:33:25 Winter: ISAKMP:(2309):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Nov 7 01:33:25 Winter: ISAKMP:(2309):Send initial contact
*Nov 7 01:33:25 Winter: ISAKMP:(2309):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Nov 7 01:33:25 Winter: ISAKMP (2309): ID payload
next-payload : 8
type : 1
address : 80.188.29.210
protocol : 17
port : 0
length : 12
*Nov 7 01:33:25 Winter: ISAKMP:(2309):Total payload length: 12
*Nov 7 01:33:25 Winter: ISAKMP:(2309): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Nov 7 01:33:25 Winter: ISAKMP:(2309):Sending an IKE IPv4 Packet.
*Nov 7 01:33:25 Winter: ISAKMP:(2309):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 7 01:33:25 Winter: ISAKMP:(2309):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Nov 7 01:33:25 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH...
*Nov 7 01:33:25 Winter: ISAKMP (2308): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Nov 7 01:33:25 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH
*Nov 7 01:33:25 Winter: ISAKMP:(2308): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Nov 7 01:33:25 Winter: ISAKMP:(2308):Sending an IKE IPv4 Packet.
czprab01#
*Nov 7 01:33:35 Winter: ISAKMP:(2309): retransmitting phase 1 MM_KEY_EXCH...
*Nov 7 01:33:35 Winter: ISAKMP (2309): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Nov 7 01:33:35 Winter: ISAKMP:(2309): retransmitting phase 1 MM_KEY_EXCH
*Nov 7 01:33:35 Winter: ISAKMP:(2309): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Nov 7 01:33:35 Winter: ISAKMP:(2309):Sending an IKE IPv4 Packet.
*Nov 7 01:33:35 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH...
*Nov 7 01:33:35 Winter: ISAKMP (2308): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Nov 7 01:33:35 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH
*Nov 7 01:33:35 Winter: ISAKMP:(2308): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Nov 7 01:33:35 Winter: ISAKMP:(2308):Sending an IKE IPv4 Packet.
*Nov 7 01:33:45 Winter: ISAKMP:(2309): retransmitting phase 1 MM_KEY_EXCH...
*Nov 7 01:33:45 Winter: ISAKMP (2309): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Nov 7 01:33:45 Winter: ISAKMP:(2309): retransmitting phase 1 MM_KEY_EXCH
*Nov 7 01:33:45 Winter: ISAKMP:(2309): sending packet to 216.40.48.53 my_port 4500 peer_port 4500 (I) MM_KEY_EXCH
*Nov 7 01:33:45 Winter: ISAKMP:(2309):Sending an IKE IPv4 Packet.
*Nov 7 01:33:45 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH...
*Nov 7 01:33:45 Winter: ISAKMP (2308): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Nov 7 01:33:45 Winter: ISAKMP:(2308): retransmitting phase 1 MM_KEY_EXCH
czprab01#sh ip route 216.40.48.53
Routing entry for 216.40.48.53/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* 80.188.29.209, via FastEthernet4
Route metric is 0, traffic share count is 1
czprab01#ping 216.40.48.53
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 216.40.48.53, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 132/134/140 ms
Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-06-2013 09:45 PM
Hello, Omar.
>sending packet to 216.40.48.53 my_port 4500 peer_port 4500
Looks like some issue with NAT-T. But it's strange that router detects NAT even though you are using piblic addresses.
Take a look at the link provided by Raman.
PS: check you inbound ACLs on both side - do they permit udp 4500?
PS2: do you have the same debug output from the other side?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-07-2013 02:19 PM
Hi Mikhailovsky,
I tried what in the link says:
command
crypto ipsec nat-transparency spi-matching
in both sides int this is the result:
czprab01#sh cryp session
Crypto session current status
Interface: Tunnel1
Session status: UP-ACTIVE
Peer: 216.40.52.7 port 4500
IKE SA: local 80.188.29.210/4500 remote 216.40.52.7/4500 Active
IPSEC FLOW: permit 47 host 80.188.29.210 host 216.40.52.7
Active SAs: 2, origin: crypto map
Interface: Tunnel2
Session status: UP-IDLE <----------------------------------------
Peer: 216.40.48.53 port 500
IKE SA: local 80.188.29.210/500 remote 216.40.48.53/500 Active
IPSEC FLOW: permit 47 host 80.188.29.210 host 216.40.48.53
Active SAs: 0, origin: crypto map
czprab01#sh cryp isa
czprab01#sh cryp isakmp sa
czprab01#sh cryp isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
216.40.48.53 80.188.29.210 QM_IDLE 2458 ACTIVE
216.40.52.7 80.188.29.210 QM_IDLE 2034 ACTIVE
IPv6 Crypto ISAKMP SA
Debug: (looks like it is trying throught the port 500)
czprab01#
*Nov 7 23:12:24 Winter: %SYS-5-CONFIG_I: Configured from console by netman on vty0 (10.32.1.22)
*Nov 7 23:12:25 Winter: %LINK-3-UPDOWN: Interface Tunnel2, changed state to up
*Nov 7 23:12:25 Winter: ISAKMP:(0): SA request profile is (NULL)
*Nov 7 23:12:25 Winter: ISAKMP: Created a peer struct for 216.40.48.53, peer port 500
*Nov 7 23:12:25 Winter: ISAKMP: New peer created peer = 0x84F60934 peer_handle = 0x8000194B
*Nov 7 23:12:25 Winter: ISAKMP: Locking peer struct 0x84F60934, refcount 1 for isakmp_initiator
*Nov 7 23:12:25 Winter: ISAKMP: local port 500, remote port 500
*Nov 7 23:12:25 Winter: ISAKMP: set new node 0 to QM_IDLE
*Nov 7 23:12:25 Winter: ISAKMP:(0):insert sa successfully sa = 84F5FF70
*Nov 7 23:12:25 Winter: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
*Nov 7 23:12:25 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53
*Nov 7 23:12:25 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Nov 7 23:12:25 Winter: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
*Nov 7 23:12:25 Winter: ISAKMP:(0): beginning Main Mode exchange
*Nov 7 23:12:25 Winter: ISAKMP:(0): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_NO_STATE
*Nov 7 23:12:25 Winter: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 7 23:12:25 Winter: ISAKMP (0): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_NO_STATE
*Nov 7 23:12:25 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 7 23:12:25 Winter: ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
*Nov 7 23:12:25 Winter: ISAKMP:(0): processing SA payload. message ID = 0
*Nov 7 23:12:25 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53
*Nov 7 23:12:25 Winter: ISAKMP:(0): local preshared key found
*Nov 7 23:12:25 Winter: ISAKMP : Scanning profiles for xauth ...
*Nov 7 23:12:25 Winter: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
*Nov 7 23:12:25 Winter: ISAKMP: encryption 3DES-CBC
*Nov 7 23:12:25 Winter: ISAKMP: hash MD5
*Nov 7 23:12:25 Winter: ISAKMP: default group 1
*Nov 7 23:12:25 Winter: ISAKMP: auth pre-share
*Nov 7 23:12:25 Winter: ISAKMP: life type in seconds
*Nov 7 23:12:25 Winter: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
*Nov 7 23:12:25 Winter: ISAKMP:(0):atts are acceptable. Next payload is 0
*Nov 7 23:12:25 Winter: ISAKMP:(0):Acceptable atts:actual life: 0
*Nov 7 23:12:25 Winter: ISAKMP:(0):Acceptable atts:life: 0
*Nov 7 23:12:25 Winter: ISAKMP:(0):Fill atts in sa vpi_length:4
*Nov 7 23:12:25 Winter: ISAKMP:(0):Fill atts in sa life_in_seconds:86400
*Nov 7 23:12:25 Winter: ISAKMP:(0):Returning Actual lifetime: 86400
*Nov 7 23:12:25 Winter: ISAKMP:(0)::Started lifetime timer: 86400.
*Nov 7 23:12:25 Winter: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 7 23:12:25 Winter: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
*Nov 7 23:12:25 Winter: ISAKMP:(0): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_SA_SETUP
*Nov 7 23:12:25 Winter: ISAKMP:(0):Sending an IKE IPv4 Packet.
*Nov 7 23:12:25 Winter: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 7 23:12:25 Winter: ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
*Nov 7 23:12:25 Winter: ISAKMP (0): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_SA_SETUP
*Nov 7 23:12:25 Winter: ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 7 23:12:25 Winter: ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
*Nov 7 23:12:25 Winter: ISAKMP:(0): processing KE payload. message ID = 0
*Nov 7 23:12:25 Winter: ISAKMP:(0): processing NONCE payload. message ID = 0
*Nov 7 23:12:25 Winter: ISAKMP:(0):found peer pre-shared key matching 216.40.48.53
*Nov 7 23:12:25 Winter: ISAKMP:(2458): processing vendor id payload
*Nov 7 23:12:25 Winter: ISAKMP:(2458): vendor ID is Unity
*Nov 7 23:12:25 Winter: ISAKMP:(2458): processing vendor id payload
*Nov 7 23:12:25 Winter: ISAKMP:(2458): vendor ID is DPD
*Nov 7 23:12:25 Winter: ISAKMP:(2458): processing vendor id payload
*Nov 7 23:12:25 Winter: ISAKMP:(2458): speaking to another IOS box!
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_I_MM4 New State = IKE_I_MM4
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Send initial contact
*Nov 7 23:12:25 Winter: ISAKMP:(2458):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
*Nov 7 23:12:25 Winter: ISAKMP (2458): ID payload
next-payload : 8
type : 1
address : 80.188.29.210
protocol : 17
port : 500
length : 12
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Total payload length: 12
*Nov 7 23:12:25 Winter: ISAKMP:(2458): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) MM_KEY_EXCH
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Sending an IKE IPv4 Packet.
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_I_MM4 New State = IKE_I_MM5
*Nov 7 23:12:25 Winter: ISAKMP (2458): received packet from 216.40.48.53 dport 500 sport 500 Global (I) MM_KEY_EXCH
*Nov 7 23:12:25 Winter: ISAKMP:(2458): processing ID payload. message ID = 0
*Nov 7 23:12:25 Winter: ISAKMP (2458): ID payload
next-payload : 8
type : 1
address : 10.32.100.95
protocol : 17
port : 500
length : 12
*Nov 7 23:12:25 Winter: ISAKMP:(0):: peer matches *none* of the profiles
*Nov 7 23:12:25 Winter: ISAKMP:(2458): processing HASH payload. message ID = 0
*Nov 7 23:12:25 Winter: ISAKMP:(2458):SA authentication status:
authenticated
*Nov 7 23:12:25 Winter: ISAKMP:(2458):SA has been authenticated with 216.40.48.53
*Nov 7 23:12:25 Winter: ISAKMP: Trying to insert a peer 80.188.29.210/216.40.48.53/500/, and inserted successfully 84F60934.
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_I_MM5 New State = IKE_I_MM6
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_I_MM6 New State = IKE_I_MM6
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
*Nov 7 23:12:25 Winter: ISAKMP:(2458):IKE_DPD is enabled, initializing timers
*Nov 7 23:12:25 Winter: ISAKMP:(2458):beginning Quick Mode exchange, M-ID of -1653111772
*Nov 7 23:12:25 Winter: ISAKMP:(2458):QM Initiator gets spi
*Nov 7 23:12:25 Winter: ISAKMP:(2458): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) QM_IDLE
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Sending an IKE IPv4 Packet.
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Node -1653111772, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 7 23:12:25 Winter: ISAKMP (2458): received packet from 216.40.48.53 dport 500 sport 500 Global (I) QM_IDLE
*Nov 7 23:12:25 Winter: ISAKMP: set new node 457267733 to QM_IDLE
*Nov 7 23:12:25 Winter: ISAKMP:(2458): processing HASH payload. message ID = 457267733
*Nov 7 23:12:25 Winter: ISAKMP:(2458): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 366030750, message ID = 457267733, sa = 84F5FF70
*Nov 7 23:12:25 Winter: ISAKMP:(2458): deleting spi 366030750 message ID = -1653111772
*Nov 7 23:12:25 Winter: ISAKMP:(2458):deleting node -1653111772 error TRUE reason "Delete Larval"
*Nov 7 23:12:25 Winter: ISAKMP:(2458):deleting node 457267733 error FALSE reason "Informational (in) state 1"
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Nov 7 23:12:25 Winter: ISAKMP:(2458):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 7 23:12:26 Winter: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel2, changed state to up
czprab01#
czprab01#
czprab01#
*Nov 7 23:12:55 Winter: ISAKMP: set new node 0 to QM_IDLE
*Nov 7 23:12:55 Winter: SA has outstanding requests (local 132.246.0.244 port 500, remote 132.246.0.216 port 500)
*Nov 7 23:12:55 Winter: ISAKMP:(2458): sitting IDLE. Starting QM immediately (QM_IDLE )
*Nov 7 23:12:55 Winter: ISAKMP:(2458):beginning Quick Mode exchange, M-ID of -2109933165
*Nov 7 23:12:55 Winter: ISAKMP:(2458):QM Initiator gets spi
*Nov 7 23:12:55 Winter: ISAKMP:(2458): sending packet to 216.40.48.53 my_port 500 peer_port 500 (I) QM_IDLE
*Nov 7 23:12:55 Winter: ISAKMP:(2458):Sending an IKE IPv4 Packet.
*Nov 7 23:12:55 Winter: ISAKMP:(2458):Node -2109933165, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Nov 7 23:12:55 Winter: ISAKMP:(2458):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Nov 7 23:12:55 Winter: ISAKMP (2458): received packet from 216.40.48.53 dport 500 sport 500 Global (I) QM_IDLE
*Nov 7 23:12:55 Winter: ISAKMP: set new node 734369673 to QM_IDLE
*Nov 7 23:12:55 Winter: ISAKMP:(2458): processing HASH payload. message ID = 734369673
*Nov 7 23:12:55 Winter: ISAKMP:(2458): processing NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
spi 3927145352, message ID = 734369673, sa = 84F5FF70
*Nov 7 23:12:55 Winter: ISAKMP:(2458): deleting spi 3927145352 message ID = -2109933165
*Nov 7 23:12:55 Winter: ISAKMP:(2458):deleting node -2109933165 error TRUE reason "Delete Larval"
*Nov 7 23:12:55 Winter: ISAKMP:(2458):deleting node 734369673 error FALSE reason "Informational (in) state 1"
*Nov 7 23:12:55 Winter: ISAKMP:(2458):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Nov 7 23:12:55 Winter: ISAKMP:(2458):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Nov 7 23:13:15 Winter: ISAKMP:(2458):purging node -1653111772
*Nov 7 23:13:15 Winter: ISAKMP:(2458):purging node 457267733
and this is the ACL:
czprab01#sh ip access 110
Extended IP access list 110
10 deny icmp any any redirect log
20 deny ip 127.0.0.0 0.255.255.255 any log
30 deny ip 224.0.0.0 31.255.255.255 any log
40 deny ip host 0.0.0.0 any log
50 permit esp host 216.40.52.7 any
60 permit udp host 216.40.52.7 any eq isakmp
70 permit gre host 216.40.52.7 any
80 permit udp host 216.40.52.7 any eq non500-isakmp (16355 matches)
90 permit esp host 216.40.48.53 any
100 permit udp host 216.40.48.53 any eq isakmp (256 matches)
110 permit gre host 216.40.48.53 any
120 permit udp host 216.40.48.53 any eq non500-isakmp
130 deny ip any any log (18 matches)
I will appreciate any comment
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2014 08:59 AM
I am not sure if you resolved this and I am new to replying so forgive if I am doing incorrectly but..
I noticed you did not have the word shared under your tunnel protection statement as this is needed
tunnel protection ipsec profile CHEP shared
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2014 10:51 AM
Hello
can you try...
Int tun xx
tunnel mode gre multipoint
ip nhrp map multicast 216.40.48.53
ip mtu 1400
ip tcp adjust-mss 1360
tunnel protection ipsec profile CHEP shared
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
