Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22860
Views
0
Helpful
16
Replies

IPSec Tunnel up but cannot ping remote Tunnel IP

Go to solution
alfonso.cornejo
Level 3
Level 3

‎12-03-2009 03:34 PM - edited ‎03-04-2019 06:52 AM

Hi,

I have configured a gre IPSEC tunnel and everything was working fine but suddenly i can't ping the tunnel ip address anymore, the two tunnels are showed as UP/UP, here is the configuration:

***Branch***

crypto isakmp policy 10
encr 3des
authentication rsa-encr
group 2
crypto isakmp keepalive 3600

crypto ipsec transform-set xxx-trans-3des esp-3des esp-sha-hmac

crypto key pubkey-chain rsa
addressed-key 10.233.172.1 encryption
  address 10.233.172.1
  key-string
   **** key ****
  quit

crypto map mapa 502 ipsec-isakmp
set peer 10.233.172.1
set transform-set xxx-trans-3des
match address lista
qos pre-classify

interface Tunnel502
bandwidth 4000
ip address 10.233.217.182 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1200
qos pre-classify
keepalive 3 3
tunnel source FastEthernet0/0
tunnel destination 10.233.172.1
service-policy output ring-tunnels

interface FastEthernet0/0
ip address 10.233.172.3 255.255.255.192
duplex full
speed 100
negotiation auto
arp timeout 900
crypto map rsvtu62-baa01-7206


ip access-list extended lista
permit gre host 10.233.172.3 host 10.233.172.1

***Central Site***

crypto isakmp policy 10
encr 3des
authentication rsa-encr
group 2
crypto isakmp keepalive 3600

crypto ipsec transform-set xxx-trans-3des esp-3des esp-sha-hmac

crypto key pubkey-chain rsa
addressed-key 10.233.172.3 encryption
  address 10.233.172.3
  key-string
   **** key ****
  quit

crypto map mapa 502 ipsec-isakmp
set peer 10.233.172.3
set transform-set xxx-trans-3des
match address lista
qos pre-classify

interface Tunnel 502
bandwidth 4000
ip address 10.233.217.181 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1200
qos pre-classify
keepalive 3 3
tunnel source GigabitEthernet0/2
tunnel destination 10.233.172.3
service-policy output ring-tunnels

ip access-list extended lista
permit gre host 10.233.172.1 host 10.233.172.3

If i remove the crypto map from the wan interface the tunnel goes down, if i put it again it goes up and the crypto session is stablished but i can't ping from the branch the ip address 10.233.217.182 of the central site.

Any ideas?

Thanks in advance!

Labels:
0 Helpful
16 Replies 16

Go to solution
alfonso.cornejo
Level 3
Level 3
In response to Jerry Ye

‎12-08-2009 02:37 PM

I just finished checking the configuration and the procedure and everything looks normal, i have some others tunnels configured in the same way and they are woking fine, if there was a problem with the rsa key, ipsec policy, isakmp, etc that should be logged on the router or showed in a debug command but there is nothing that shows at least a little clearly what is going on...

Any other ideas?

Thanks in advance!

0 Helpful

Go to solution
Jerry Ye
Cisco Employee
Cisco Employee
In response to alfonso.cornejo

‎12-08-2009 06:14 PM

It is extreme hard to troubleshoot when it is working. Is it possible that you turn on debug crypto isa sa and log that to a syslog server until it is not working? I know this might not be possible for a production environment, but right now, I am kind of run out of clue why this is not working.

Regards,

jerry

0 Helpful
Customers Also Viewed These Support Documents