Re: Tunnel Migration from Cisco 2800 to ISR 4331 Series

animesh.mishra · ‎04-02-2019

Hello Folks,

Needed One Help Regarding Cisco Router Migration from 2800 to ISR 4331.

"Here we copy and paste all config one by one in new router everything seems working fine instead GRE Tunnel over IPSEC"

IPSEC Tunnel not coming up with GRE tunnel. Phase I negotiation not coming UP. Other end peoples are saying It is working fine with 2800 router it should work fine with new one also.

Attached Tunnel Debug ISAKMP.

Please have a a look

Georg Pauwen · ‎04-02-2019

Hello,

in theory the IPSec tunnel configuration on the ISR should be identical to the 2800. Post the configurations of both ends of the peer connection you are trying to set up...

animesh.mishra · ‎04-02-2019

Hi Georg,

Thanks for response.

I have only our end config attached. Pl help.

animesh.mishra · ‎04-02-2019

Hi Georg,

Thanks for response.

I have only our end config attached. Pl help.

Georg Pauwen · ‎04-02-2019

Hello,

you are using two different transform sets in the same crypto map. One of the transform sets has the mode set to transport. I would split the crypto maps, or change the mode on the first transform set to mode tunnel (the default) as well, unless there is a specific reason you need transport mode:

crypto ipsec transform-set trans4 esp-3des esp-md5-hmac
--> mode tunnel
crypto ipsec transform-set trans5 esp-3des esp-sha-hmac
!
crypto map vpn_map 1 ipsec-isakmp
set peer 210.xx.xx.3
set transform-set trans4
match address shi_noida
crypto map vpn_map 2 ipsec-isakmp
set peer 210.xx.xx.4
set transform-set trans4
match address SHII_noida2_bk
crypto map vpn_map 3 ipsec-isakmp
set peer 112.xx.xx.106
set security-association lifetime seconds 28800
set transform-set trans5
match address SHII_HK_AVEVA

animesh.mishra · ‎04-02-2019

Hi Georg,

Appreciating you quick response.

But I think you are taking this input from old_config that is working fine. Please have a look in new_config.

In old_config tunnel is up with mode transport in trans4 only.

Deepak Kumar · ‎04-02-2019

Hi,

*Mar 26 17:41:48.039: ISAKMP-ERROR: (0):ignoring request to send delete notify (sa not authenticated) src 182.71.119.14 dst 210.118.109.4
*Mar 26 17:41:51.998: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Mar 26 17:41:51.998: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 26 17:41:51.998: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Mar 26 17:41:51.998: ISAKMP-PAK: (0):sending packet to 210.118.110.3 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 26 17:41:51.998: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Mar 26 17:41:51.998: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Mar 26 17:41:51.998: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Mar 26 17:41:51.998: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Mar 26 17:41:51.998: ISAKMP-PAK: (0):sending packet to 210.118.109.4 my_port 500 peer_port 500 (I) MM_NO_STATE
*Mar 26 17:41:51.998: ISAKMP: (0):Sending an IKE IPv4 Packet.

Above logs showing that there is some packet loss. Can you check your routing configuration, Port forwarding (If any)? Try to ping 210.118.109.4 from the LAN and router itself.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

animesh.mishra · ‎04-02-2019

Hi Deepak,

Ping was successful towards peers. Attaching OLD_CONFIG file.

Deepak Kumar · ‎04-02-2019

Hi,
Please also share the new configuration. We will check according to the new configuration.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

animesh.mishra · ‎04-02-2019

Hi New Config Attached. Pl look.

Georg Pauwen · ‎04-02-2019

Hello,

new config still has the same issue as far as I can see:

crypto ipsec transform-set trans4 esp-3des esp-md5-hmac
mode transport

Which of the two tunnels has the problem, Tunnel1 or Tunnel2 ?

Deepak Kumar · ‎04-02-2019

Hi,

Please confirm the below configuration is it correct:

interface Tunnel1
 description [ SHI Noida Bharti VPN ciruit via SSVPN_2 ]
 bandwidth 2000
 ip address 107.xx.xx.4 255.255.255.252
 tunnel source 107.xx.xx.4 -----> Must be LOCAL WAN IP.
 tunnel mode ipsec ipv4
 tunnel destination 107.xx.xx.4 -----> Must be Remote WAN IP.
 tunnel protection ipsec profile GRE_AIRTEL_TUN1
!
interface Tunnel2
 description [ SHII Noida Bharti VPN Circuit via SSVPN_1 ]
 bandwidth 2000
 ip address 107.xx.xx.4 255.255.255.252
 tunnel source 107.xx.xx.4 -----> Must be LOCAL WAN IP.
 tunnel mode ipsec ipv4
 tunnel destination 107.xx.xx.4 -----> Must be Remote WAN IP.
 tunnel protection ipsec profile GRE_AIRTEL_TUN2

The router is having an identical IP address but we can't see the full configuration because deleted some entries.

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!