07-08-2011 01:10 AM - edited 03-04-2019 12:55 PM
Hi.
I have a Cisco 1921 and it has 2 VPN IP-sec site-to-site tunnels up and running. Lets say the tunnels goes from the Cisco to Site A and Site B.
Now i want Site A to reach Site B through the existing tunnels. Im guessing that static routes maybe the awnser but i cant seem to get it working.
The LAN networks is as follows:
Cisco: 192.168.15.0/24
Site A: 192.168.0.0/24
Site B: 10.27.27.0/24
At Site A i have set up a static route as follows:
Traffic destined for 10.27.27.0/24 Go to gateway 192.168.15.1 (the default gateway of Cisco LAN)
At Site B i have set up a static route as follows:
Traffic destined for 192.168.0.0/24 Go to gateway 192.168.15.1 (the default gateway of Cisco LAN)
Hoping someone could shine some light on this matter.
Kind regards
07-08-2011 01:34 AM
Hi,
You need to define interesting traffic for site-to-site VPN as well. Please post a brief diagram and configuration on both VPN routers.
HTH,
Toshi
07-08-2011 04:57 AM
I have now added the traffic onto the access-lists for the IPsec tunnels and still no change. Is it correct for me to set the default gateway of the both sides as 192.168.15.1 (LAN interface on the middle router) when they want to talk to eachother?
See attachments for configs.
The running config is from the router in the middle of the network drawing.
Kind regards.
07-09-2011 05:57 AM
Adding static routes with next hop 192.168.15.1 may fail if it tries to do arp for next hop which actually needs to be reached by VPN. Try adding routes via your ISP defaul gateway hence it passes traffic to crypto interface which will get encrypted.
Sent from Cisco Technical Support iPhone App
07-10-2011 09:05 PM
Hi Tommy,
to the best of my knowledge you can't do this using crypto maps. You can however do it using VTI tunnels protected with ipsec as then it is just a matter of a simple static route.
so on the cisco you would have already in place static routes of the nature
ip route 192.168.0.0 255.255.255.0 tunnel 0
ip route 10.27.27.0 255.255.255.0 tunnel 1
you would then just need to tell the routers at SiteA that Site B also is accessable through Tunnel0 and similarly on SiteB that SiteA is accessible through it's tunnel.
Over all easier once setup.
07-10-2011 11:08 PM
Im sorry but the VTI tunnels is not supported in the routertype at both Site A and Site B. Or at least i cant find it.
I looked into it now and it seems like it would be the way to go about it in this case aswell. Thank you very much, i will get back to you all with the results of this VTI configuration.
Kind regards.
07-11-2011 02:10 AM
Hi Tommy,
The feature set says it supports this method.
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ReallyGoodPassword address
crypto ipsec transform-set TranSet esp-3des esp-md5-hmac
crypto ipsec profile proVTI
set transform-set TranSet
interface Tunnel0
description Site-Site Tunnel Other End is 201.2
ip address 192.168.201.1 255.255.255.252 ! (or pick an subnet that doesn't conflict)
no shutdown
tunnel source Dialer0 ! or IP of this WAN Interface
tunnel destination
tunnel mode ipsec ipv4
tunnel protection ipsec profile proVTI
ip route
Do this at both ends and all is good.
Then add a
ip route 10.27.27.0 255.255.255.0 tunnel 0
on the site A router and
ip route 192.168.0.0 255.255.255.0 tunnel 0 ! or whatever number you gave it
on the site B router and all traffic should flow fine albeit a little clumsy. any reason you can't just add a tunnel between the site A and Site B router instead?
07-11-2011 02:29 AM
Hi.
I have now implemented the method for one tunnel, however the tunnel goes down and timeouts for like 20 seconds once every minute.
So there are two tunnels configured as before and one tunnel configured using VTI and that one is the one timing out.
Is my configuration of the interface Tunnel0 wrong and if so, is there anything else that jumps out thats wrong?
King regards.
Here is my configuration on this matter:
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address 194.23.14.xxx
crypto isakmp key xxxxxxxxx address 212.37.97.xxx
crypto isakmp key xxxxxxxxx address 81.232.19.xxx no-xauth
!
!
crypto ipsec transform-set TF_Stockholm esp-3des esp-sha-hmac
!
crypto ipsec profile P1
set security-association lifetime seconds 28800
set transform-set TF_Stockholm
set pfs group2
!
!
crypto map TF_Stockholm 30 ipsec-isakmp
set peer 194.23.14.xxx
set security-association lifetime seconds 86400
set transform-set TF_Stockholm
set pfs group2
match address 103
crypto map TF_Stockholm 40 ipsec-isakmp
set peer 212.37.97.xxx
set transform-set TF_Stockholm
set pfs group2
match address 102
!
!
interface Tunnel0
description TUNNEL TILL DOFH
ip unnumbered GigabitEthernet0/0
zone-member security WAN_ZONE
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 81.232.19.xxx
tunnel protection ipsec profile P1
!
interface GigabitEthernet0/0
ip address 194.17.211.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security WAN_ZONE
duplex auto
speed auto
crypto map TF_Stockholm
Here is my debug log:
*Jul 11 09:21:31.057: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE
*Jul 11 09:21:31.057: ISAKMP:(1180):Sending an IKE IPv4 Packet.
*Jul 11 09:21:31.057: ISAKMP:(1180):Node 1791448660, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 11 09:21:31.061: ISAKMP:(1180):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 11 09:21:41.057: ISAKMP:(1180): retransmitting phase 2 QM_IDLE 1791448660 ...
*Jul 11 09:21:41.057: ISAKMP (1180): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Jul 11 09:21:41.057: ISAKMP (1180): incrementing error counter on sa, attempt 1 of 5: retransmit phase 2
*Jul 11 09:21:41.057: ISAKMP:(1180): retransmitting phase 2 1791448660 QM_IDLE
*Jul 11 09:21:41.057: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE
*Jul 11 09:21:41.057: ISAKMP:(1180):Sending an IKE IPv4 Packet.
*Jul 11 09:21:47.201: ISAKMP (0): received packet from 81.228.205.xxx dport 500 sport 500 Global (R) MM_NO_STATE
*Jul 11 09:21:51.057: ISAKMP:(1180): retransmitting phase 2 QM_IDLE 1791448660 ...
*Jul 11 09:21:51.057: ISAKMP (1180): incrementing error counter on node, attempt 2 of 5: retransmit phase 2
*Jul 11 09:21:51.057: ISAKMP (1180): incrementing error counter on sa, attempt 2 of 5: retransmit phase 2
*Jul 11 09:21:51.057: ISAKMP:(1180): retransmitting phase 2 1791448660 QM_IDLE
*Jul 11 09:21:51.057: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE
*Jul 11 09:21:51.057: ISAKMP:(1180):Sending an IKE IPv4 Packet.
*Jul 11 09:22:01.033: IPSEC(key_engine): request timer fired: count = 1,
(identity) local= 194.17.211.126:0, remote= 81.232.19.xxx:0,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
*Jul 11 09:22:01.033: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 194.17.211.xxx:500, remote= 81.232.19.xxx:500,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-3des esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
*Jul 11 09:22:01.057: ISAKMP: set new node 0 to QM_IDLE
*Jul 11 09:22:01.057: SA has outstanding requests (local 39.204.159.xxx port 500, remote 39.204.159.xxx port 500)
*Jul 11 09:22:01.057: ISAKMP:(1180): sitting IDLE. Starting QM immediately (QM_IDLE )
*Jul 11 09:22:01.057: ISAKMP:(1180):beginning Quick Mode exchange, M-ID of -890998029
*Jul 11 09:22:01.081: ISAKMP:(1180):QM Initiator gets spi
*Jul 11 09:22:01.081: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE
*Jul 11 09:22:01.081: ISAKMP:(1180):Sending an IKE IPv4 Packet.
*Jul 11 09:22:01.081: ISAKMP:(1180):Node -890998029, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
*Jul 11 09:22:01.081: ISAKMP:(1180):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
*Jul 11 09:22:01.081: ISAKMP:(1180): retransmitting phase 2 QM_IDLE 1791448660 ...
*Jul 11 09:22:01.081: ISAKMP (1180): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
*Jul 11 09:22:01.081: ISAKMP (1180): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
*Jul 11 09:22:01.081: ISAKMP:(1180): retransmitting phase 2 1791448660 QM_IDLE
*Jul 11 09:22:01.081: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE
*Jul 11 09:22:01.081: ISAKMP:(1180):Sending an IKE IPv4 Packet.
*Jul 11 09:22:08.249: ISAKMP:(0):purging SA., sa=27DCB3B4, delme=27DCB3B4
*Jul 11 09:22:11.081: ISAKMP:(1180): retransmitting phase 2 QM_IDLE -890998029 ...
*Jul 11 09:22:11.081: ISAKMP (1180): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
*Jul 11 09:22:11.081: ISAKMP (1180): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
*Jul 11 09:22:11.081: ISAKMP:(1180): retransmitting phase 2 -890998029 QM_IDLE
*Jul 11 09:22:11.081: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE
*Jul 11 09:22:11.081: ISAKMP:(1180):Sending an IKE IPv4 Packet.
*Jul 11 09:22:11.081: ISAKMP:(1180): retransmitting phase 2 QM_IDLE 1791448660 ...
*Jul 11 09:22:11.081: ISAKMP (1180): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
*Jul 11 09:22:11.081: ISAKMP (1180): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2
*Jul 11 09:22:11.081: ISAKMP:(1180): retransmitting phase 2 1791448660 QM_IDLE
*Jul 11 09:22:11.081: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE
*Jul 11 09:22:11.081: ISAKMP:(1180):Sending an IKE IPv4 Packet.
*Jul 11 09:22:21.081: ISAKMP:(1180): retransmitting phase 2 QM_IDLE -890998029 ...
*Jul 11 09:22:21.081: ISAKMP:(1180):peer does not do paranoid keepalives.
*Jul 11 09:22:21.081: ISAKMP:(1180):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE (peer 81.232.19.xxx)
*Jul 11 09:22:21.081: ISAKMP:(1180): retransmitting phase 2 QM_IDLE 1791448660 ...
*Jul 11 09:22:21.081: ISAKMP:(1180):peer does not do paranoid keepalives.
*Jul 11 09:22:21.081: ISAKMP: set new node 1538683159 to QM_IDLE
*Jul 11 09:22:21.081: ISAKMP:(1180): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE
*Jul 11 09:22:21.081: ISAKMP:(1180):Sending an IKE IPv4 Packet.
*Jul 11 09:22:21.081: ISAKMP:(1180):purging node 1538683159
*Jul 11 09:22:21.081: ISAKMP:(1180):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Jul 11 09:22:21.081: ISAKMP:(1180):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
*Jul 11 09:22:21.081: ISAKMP:(1180):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE (peer 81.232.19.xxx)
*Jul 11 09:22:21.081: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
*Jul 11 09:22:21.081: ISAKMP: Unlocking peer struct 0x316B5470 for isadb_mark_sa_deleted(), count 0
*Jul 11 09:22:21.081: ISAKMP:(1180):deleting node 1791448660 error FALSE reason "IKE deleted"
*Jul 11 09:22:21.081: ISAKMP:(1180):deleting node -890998029 error FALSE reason "IKE deleted"
*Jul 11 09:22:21.081: ISAKMP:(1180):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Jul 11 09:22:21.081: ISAKMP:(1180):Old State = IKE_DEST_SA New State = IKE_DEST_SA
TEST_ROUTER(config)#
07-11-2011 02:14 PM
Hi Tommy,
the VTI Tunnel can't be unnumbered to the gi0/0 to the best of my knowledge (but I am not an expert) it needs an ip on a unique subnet so it can be routed. I am unsure whether your acls fo traffic of interest refer to the traffic at the other end of the VTI as well. the config you posted is obviously not complete. I would definitely fix that IP for the tunnel though.
Message was edited by: Ross Marston
07-12-2011 05:56 AM
Hi.
Thank you for your feedback, i have changed the configuration somewhat but i still got the same results of the tunnel timing out and going down for like 15 seconds every other minute.
Config for remote site is on pic1 and pic2.
Here is my current running config of the matter:
class-map type inspect match-any LAN_TO_WAN
match access-group name LAN_TO_WAN
class-map type inspect match-any WAN_TO_LAN
match access-group name WAN_TO_LAN
!
!
policy-map type inspect LAN_TO_WAN
class type inspect LAN_TO_WAN
inspect
class class-default
drop
policy-map type inspect WAN_TO_LAN
class type inspect WAN_TO_LAN
inspect
class class-default
drop
!
zone security LAN_ZONE
zone security WAN_ZONE
zone security LAN2_ZONE
zone-pair security LAN_TO_WAN source LAN_ZONE destination WAN_ZONE
service-policy type inspect LAN_TO_WAN
zone-pair security WAN_TO_LAN source WAN_ZONE destination LAN_ZONE
service-policy type inspect WAN_TO_LAN
zone-pair security LAN2_TO_WAN source LAN2_ZONE destination WAN_ZONE
service-policy type inspect LAN_TO_WAN
zone-pair security WAN_TO_LAN2 source WAN_ZONE destination LAN2_ZONE
service-policy type inspect WAN_TO_LAN
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxxxxxxxxx address 81.232.19.xxx
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set TS1 esp-3des esp-md5-hmac
!
crypto ipsec profile P1
set transform-set TS1
set pfs group2
!
!
interface Tunnel0
ip address 192.168.250.1 255.255.255.0
zone-member security LAN2_ZONE
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 81.232.19.xxx
tunnel protection ipsec profile P1
!
interface GigabitEthernet0/0
ip address 194.17.211.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security WAN_ZONE
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1.15
encapsulation dot1Q 15
ip address 192.168.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security LAN2_ZONE
!
interface GigabitEthernet0/1.101
encapsulation dot1Q 101
ip address 10.0.1.28 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security LAN_ZONE
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool with_overload 194.17.211.xxx 194.17.211.xxx prefix-length 29
ip nat inside source list 105 pool with_overload overload
ip route 0.0.0.0 0.0.0.0 194.17.211.xxx
ip route 192.168.2.0 255.255.255.0 Tunnel0
!
ip access-list extended LAN_TO_WAN
permit ip any any
ip access-list extended WAN_TO_LAN
permit tcp any any eq ftp-data
permit tcp any any eq ftp
permit tcp any any eq 22
permit tcp any any eq telnet
permit tcp any any eq 24
permit tcp any any eq smtp
permit tcp any any eq 26
permit tcp any any eq 27
permit tcp any any eq 28
permit tcp any any eq 29
permit tcp any any eq 30
permit tcp any any eq 31
permit tcp any any eq 32
permit tcp any any eq 33
permit tcp any any eq 34
permit tcp any any eq 35
permit tcp any any eq www
permit tcp any any eq 443
permit ip 192.168.2.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.255 any
permit ip 10.27.27.0 0.0.0.255 192.168.15.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 192.168.15.0 0.0.0.255
permit esp any any
!
access-list 101 permit ip 192.168.15.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 10.27.27.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.15.0 0.0.0.255 10.27.27.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 10.27.27.0 0.0.0.255
access-list 103 permit ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 deny ip 192.168.15.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 deny ip 192.168.15.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 105 deny ip 10.0.1.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 105 deny ip 192.168.15.0 0.0.0.255 10.27.27.0 0.0.0.255
access-list 105 deny ip 192.168.15.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 105 permit ip 10.0.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.15.0 0.0.0.255 any
Here is my debug output with this config:
Jul 12 12:53:06.646: ISAKMP: set new node 0 to QM_IDLE
Jul 12 12:53:06.646: SA has outstanding requests (local 39.220.181.28 port 500, remote 39.220.181.56 port 500)
Jul 12 12:53:06.646: ISAKMP:(1473): sitting IDLE. Starting QM immediately (QM_IDLE )
Jul 12 12:53:06.646: ISAKMP:(1473):beginning Quick Mode exchange, M-ID of -140327640
Jul 12 12:53:06.666: ISAKMP:(1473):QM Initiator gets spi
Jul 12 12:53:06.666: ISAKMP:(1473): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE
Jul 12 12:53:06.666: ISAKMP:(1473):Sending an IKE IPv4 Packet.
Jul 12 12:53:06.666: ISAKMP:(1473):Node -140327640, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
Jul 12 12:53:06.666: ISAKMP:(1473):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
Jul 12 12:53:06.670: ISAKMP:(1473): retransmitting phase 2 QM_IDLE 1426390693 ...
Jul 12 12:53:06.670: ISAKMP (1473): incrementing error counter on node, attempt 3 of 5: retransmit phase 2
Jul 12 12:53:06.670: ISAKMP (1473): incrementing error counter on sa, attempt 3 of 5: retransmit phase 2
Jul 12 12:53:06.670: ISAKMP:(1473): retransmitting phase 2 1426390693 QM_IDLE
Jul 12 12:53:06.670: ISAKMP:(1473): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE
Jul 12 12:53:06.670: ISAKMP:(1473):Sending an IKE IPv4 Packet.
Jul 12 12:53:11.014: ISAKMP:(1473):purging node -1007574191
Jul 12 12:53:11.598: ISAKMP:(1473):purging node -134087220
Jul 12 12:53:16.666: ISAKMP:(1473): retransmitting phase 2 QM_IDLE -140327640 ...
Jul 12 12:53:16.666: ISAKMP (1473): incrementing error counter on node, attempt 1 of 5: retransmit phase 2
Jul 12 12:53:16.666: ISAKMP (1473): incrementing error counter on sa, attempt 4 of 5: retransmit phase 2
Jul 12 12:53:16.666: ISAKMP:(1473): retransmitting phase 2 -140327640 QM_IDLE
Jul 12 12:53:16.666: ISAKMP:(1473): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE
Jul 12 12:53:16.666: ISAKMP:(1473):Sending an IKE IPv4 Packet.
Jul 12 12:53:16.670: ISAKMP:(1473): retransmitting phase 2 QM_IDLE 1426390693 ...
Jul 12 12:53:16.670: ISAKMP (1473): incrementing error counter on node, attempt 4 of 5: retransmit phase 2
Jul 12 12:53:16.670: ISAKMP (1473): incrementing error counter on sa, attempt 5 of 5: retransmit phase 2
Jul 12 12:53:16.670: ISAKMP:(1473): retransmitting phase 2 1426390693 QM_IDLE
Jul 12 12:53:16.670: ISAKMP:(1473): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE
Jul 12 12:53:16.670: ISAKMP:(1473):Sending an IKE IPv4 Packet.
Jul 12 12:53:26.666: ISAKMP:(1473): retransmitting phase 2 QM_IDLE -140327640 ...
Jul 12 12:53:26.666: ISAKMP:(1473):peer does not do paranoid keepalives.
Jul 12 12:53:26.666: ISAKMP:(1473):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE (peer 81.232.19.xxx)
Jul 12 12:53:26.666: ISAKMP: set new node -1873188883 to QM_IDLE
Jul 12 12:53:26.666: ISAKMP:(1473): sending packet to 81.232.19.xxx my_port 500 peer_port 500 (R) QM_IDLE
Jul 12 12:53:26.666: ISAKMP:(1473):Sending an IKE IPv4 Packet.
Jul 12 12:53:26.666: ISAKMP:(1473):purging node -1873188883
Jul 12 12:53:26.666: ISAKMP:(1473):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Jul 12 12:53:26.666: ISAKMP:(1473):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA
Jul 12 12:53:26.666: ISAKMP:(1473):deleting SA reason "Death by retransmission P2" state (R) QM_IDLE (peer 81.232.19.xxx)
Jul 12 12:53:26.666: ISAKMP:(0):Can't decrement IKE Call Admission Control stat incoming_active since it's already 0.
Jul 12 12:53:26.666: ISAKMP: Unlocking peer struct 0x2800B1E4 for isadb_mark_sa_deleted(), count 0
Jul 12 12:53:26.666: ISAKMP:(1473):deleting node 1426390693 error FALSE reason "IKE deleted"
Jul 12 12:53:26.666: ISAKMP:(1473):deleting node -140327640 error FALSE reason "IKE deleted"
Jul 12 12:53:26.666: ISAKMP:(1473):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
Jul 12 12:53:26.666: ISAKMP:(1473):Old State = IKE_DEST_SA New State = IKE_DEST_SA
Jul 12 12:53:36.646: IPSEC(key_engine): request timer fired: count = 2,
(identity) local= 194.17.211.xxx:0, remote= 81.232.19.xxx:0,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4)
Jul 12 12:53:42.458: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel0, changed state to down
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide