cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
3042
Views
0
Helpful
20
Replies
blanktree
Beginner

Cisco 881 Woes

We have a number of sites running Cisco 881 routers.

A few of the sites are connected by IPSec VPN tunnels that have been configured using Cisco CCP without any issues until now.  On one location I can ping from a workstations on  Site1 to Site2, however I cannot ping from the same workstation on Site2 back to Site1.

Here is a strange behavior.  If I have a continuous ping going from Site1 - Site2 and then start a continuous ping from Site2 - Site1 then I get a response  until I stop the ping from Site1 - Site2.

Site 1 has approximately 5 successful tunnels with absolutely no issues.

Here is some site specific Info

Site1

Cisco 881 running Version 15.0(1)M7

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ThePreShareKey address XXX.YYY.ZZZ.232
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toXXX.YYY.ZZZ.232
set peer XXX.YYY.ZZZ.232
set transform-set ESP-3DES-SHA
match address 101

access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host XXX.YYY.ZZZ.232 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 104 permit ip 10.60.141.0 0.0.0.255 any

route-map SDM_RMAP_1 permit 1
match ip address 104

Site 2

Cisco 881 running Version 15.2(3)T1


crypto isakmp policy 2
encr 3des
group 2
crypto isakmp key ThePreShareKey address TTT.UUU.VVV.224

crypto map SDM_CMAP_1 7 ipsec-isakmp
description Tunnel toTTT.UUU.VVV.224
set peer TTT.UUU.VVV.224
set transform-set ESP-3DES-SHA15
match address 142

access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host TTT.UUU.VVV.224 any
access-list 104 remark CCP_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
access-list 104 permit ip 172.16.1.0 0.0.0.255 any
access-list 142 remark CCP_ACL Category=4
access-list 142 remark IPSec Rule
access-list 142 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255

route-map SDM_RMAP_1 permit 1
match ip address 104

For additional troubleshooting I established a VPN tunel from Site2 to our office Site3 with no issues at all.

Site3 happens to be one of the VPN tunnels that connects to Site1 with no issues.

I have seen a number of articles on this on the net and gone through the troubleshooting steps of an article such as http://www.cisco.com/en/US/products/ps6658/products_tech_note09186a0080b2a901.shtml

The tunnel is confirmed as up when I have done all my troubleshooting.

I appreciate any guidance on this as I am not sure what to try next.            

Thanks everyone for your time.  

20 REPLIES 20
johnlloyd_13
Engager

Hi,

Were there any recent changes on any 881's?

Could you post show log and if you can perform debugs?

Sent from Cisco Technical Support iPhone App

The router in Site2 was just put in so this tunnel is brand new.  The router in Site1 has been there for quite some time prior to me joining the company.

The VPN tunnel and most POST-Initial config was done through CCP on Site2.  CCP was used for the tunnel creation and for creating the advanced firewall which is set back to low security level.

Show log is

--------------------------------------------

Site2#show log
Syslog logging: enabled (0 messages dropped, 3 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.

No Inactive Message Discriminator.


    Console logging: level debugging, 173 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 11 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  disabled, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level informational, 31 message lines logged
        Logging Source-Interface:       VRF Name:
------------------------------------------

Thanks

hi,

i'm not sure whether your show log output is complete. did you configure identical IKE policies on both VPN peers? was this a typo for your Site 1?

set peer XXX.YYY.ZZZ

could you post the following when you've performed a test ping from an inside host in Site 2 towards Site 1:

show crypto isakmp sa

show crypto ipsec sa

debug crypto isakmp sa

debug crypto ipsec sa

Sorry I did have a typo.  It should have said XXX.YYY.ZZZ.232

Here is the output as you mentioned.  At Site 2 there is another VPN tunnel created to Site3 and it works fine so you may see some reference to this in the debugs.

The tunnel always establishes and stays up.

On some of the other sites that have a VPN tunnel to Site1 I had to put in a line crypto ipsec df-bit clear as it appears the packets were fragemented.

However the MTU settings on all the Cisco gear is at the default value of 1500 MTU.

Thanks for your help

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.27 08:44:06 =~=~=~=~=~=~=~=~=~=~=~=

Site2#show crypto isakp       mp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
TTT.UUU.VVV.224   XXX.YYY.ZZZ.232   QM_IDLE           2004 ACTIVE
XXX.YYY.ZZZ.232   TTT.UUU.VVV.224  QM_IDLE           2005 ACTIVE

IPv6 Crypto ISAKMP SA

Site2#show crypto ispw         psec sa

interface: FastEthernet4
    Crypto map tag: SDM_CMAP_1, local addr TTT.UUU.VVV.224

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.60.141.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   current_peer  XXX.YYY.ZZZ.232  port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 210421, #pkts encrypt: 210421, #pkts digest: 210421
    #pkts decaps: 25509, #pkts decrypt: 25509, #pkts verify: 25509
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: TTT.UUU.VVV.224, remote crypto endpt.:  XXX.YYY.ZZZ.232
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x7481E461(1954669665)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x1EC08327(515932967)
--More--                                   transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 99, flow_id: Onboard VPN:99, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4173672/2275)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x7481E461(1954669665)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 100, flow_id: Onboard VPN:100, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4150725/2275)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
--More--                          
     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.60.141.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): ( THIS.SITE.WORKS..0/255.255.255.0/0/0)
   current_peer THIS.SITE.WORKS port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: TTT.UUU.VVV.224, remote crypto endpt.: THIS.SITE.WORKS
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
--More--                          
     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
Site2# term mon

Site2#debug crypto ipsec
Crypto IPSEC debugging is on
Site2#term mon
Site2#term mon        debug crypto ipsec
Sep 27 14:47:18.378: ISAKMP (2005): received packet from  XXX.YYY.ZZZ.232  dport 500 sport 500 Global (I) QM_IDLE     
Sep 27 14:47:18.378: ISAKMP: set new node -1617340658 to QM_IDLE     
Sep 27 14:47:18.378: ISAKMP:(2005): processing HASH payload. message ID = 2677626638
Sep 27 14:47:18.378: ISAKMP:(2005): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 2677626638, sa = 0x8880DA68
Sep 27 14:47:18.378: ISAKMP:(2005):deleting node -1617340658 error FALSE reason "Informational (in) state 1"
Sep 27 14:47:18.378: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:47:18.378: ISAKMP:(2005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 27 14:47:18.378: ISAKMP:(2005):DPD/R_U_THERE received from peer  XXX.YYY.ZZZ.232 , sequence 0xEA9AB55
Sep 27 14:47:18.378: ISAKMP: set new node -16420335 to QM_IDLE     
Sep 27 14:47:18.378: ISAKMP:(2005):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 4278546961
Sep 27 14:47:18.378: ISAKMP:(2005): seq. no 0xEA9AB55
Sep 27 14:47:18.378: ISAKMP:(2005): sending packet to  XXX.YYY.ZZZ.232  my_port 500 peer_port 500 (I) QM_IDLE     
Sep 27 14:47:18.378: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Sep 27 14:47:18.378: ISAKMP:(2005):purging node -16420335
Sep 27 14:47:18.378: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 27 14:47:18.378: ISAKMP:(2005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 27 14:47:30.110: ISAKMP: set new node -761006079 to QM_IDLE     
Sep 27 14:47:30.110: ISAKMP:(2004):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 3533961217
Sep 27 14:47:30.110: ISAKMP:(2004): seq. no 0xB5E67EE
Sep 27 14:47:30.110: ISAKMP:(2004): sending packet to  XXX.YYY.ZZZ.232  my_port 500 peer_port 500 (R) QM_IDLE     
Sep 27 14:47:30.110: ISAKMP:(2004):Sending an IKE IPv4 Packet.
Sep 27 14:47:30.110: ISAKMP:(2004):purging node -761006079
Sep 27 14:47:30.110: ISAKMP:(2004):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 27 14:47:30.110: ISAKMP:(2004):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 27 14:47:30.150: ISAKMP (2004): received packet from  XXX.YYY.ZZZ.232  dport 500 sport 500 Global (R) QM_IDLE     
Sep 27 14:47:30.150: ISAKMP: set new node 1551329102 to QM_IDLE     
Sep 27 14:47:30.150: ISAKMP:(2004): processing HASH payload. message ID = 1551329102
Sep 27 14:47:30.150: ISAKMP:(2004): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 1551329102, sa = 0x887C5694
Sep 27 14:47:30.150: ISAKMP:(2004): DPD/R_U_THERE_ACK received from peer  XXX.YYY.ZZZ.232 , sequence 0xB5E67EE
Sep 27 14:47:30.154: ISAKMP:(2004):deleting node 1551329102 error FALSE reason "Informational (in) state 1"
Sep 27 14:47:30.154: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:47:30.154: ISAKMP:(2004):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE
     sakmp sa                       term mon                                  
Sep 27 14:48:08.379: ISAKMP:(2005):purging node -1617340658bug
Sep 27 14:48:20.156: ISAKMP:(2004):purging node 1551329102                                            

Sep 27 14:49:43.454: ISAKMP: set new node -1394870801 to QM_IDLE     
Sep 27 14:49:43.454: ISAKMP:(2005):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 2900096495
Sep 27 14:49:43.454: ISAKMP:(2005): seq. no 0xB5E67EF
Sep 27 14:49:43.454: ISAKMP:(2005): sending packet to  XXX.YYY.ZZZ.232  my_port 500 peer_port 500 (I) QM_IDLE     
Sep 27 14:49:43.454: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Sep 27 14:49:43.454: ISAKMP:(2005):purging node -1394870801
Sep 27 14:49:43.454: ISAKMP:(2005):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 27 14:49:43.454: ISAKMP:(2005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 27 14:49:43.494: ISAKMP (2005): received packet from  XXX.YYY.ZZZ.232  dport 500 sport 500 Global (I) QM_IDLE     
Sep 27 14:49:43.494: ISAKMP: set new node -603252858 to QM_IDLE     
Sep 27 14:49:43.494: ISAKMP:(2005): processing HASH payload. message ID = 3691714438
Sep 27 14:49:43.494: ISAKMP:(2005): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 3691714438, sa = 0x8880DA68
Sep 27 14:49:43.494: ISAKMP:(2005): DPD/R_U_THERE_ACK received from peer  XXX.YYY.ZZZ.232 , sequence 0xB5E67EF
Sep 27 14:49:43.494: ISAKMP:(2005):deleting node -603252858 error FALSE reason "Informational (in) state 1"     
Sep 27 14:49:43.494: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:49:43.494: ISAKMP:(2005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE


Sep 27 14:49:58.586: ISAKMP (2004): received packet from  XXX.YYY.ZZZ.232  dport 500 sport 500 Global (R) QM_IDLE     
Sep 27 14:49:58.586: ISAKMP: set new node 668937152 to QM_IDLE     
Sep 27 14:49:58.586: ISAKMP:(2004): processing HASH payload. message ID = 668937152
Sep 27 14:49:58.586: ISAKMP:(2004): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 668937152, sa = 0x887C5694
Sep 27 14:49:58.586: ISAKMP:(2004):deleting node 668937152 error FALSE reason "Informational (in) state 1"
Sep 27 14:49:58.586: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:49:58.586: ISAKMP:(2004):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 27 14:49:58.586: ISAKMP:(2004):DPD/R_U_THERE received from peer  XXX.YYY.ZZZ.232 , sequence 0xEA9AB56
Sep 27 14:49:58.586: ISAKMP: set new node 1685634131 to QM_IDLE     
Sep 27 14:49:58.586: ISAKMP:(2004):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 1685634131
Sep 27 14:49:58.586: ISAKMP:(2004): seq. no 0xEA9AB56
Sep 27 14:49:58.586: ISAKMP:(2004): sending packet to  XXX.YYY.ZZZ.232  my_port 500 peer_port 500 (R) QM_IDLE     
Sep 27 14:49:58.586: ISAKMP:(2004):Sending an IKE IPv4 Packet.
Sep 27 14:49:58.586: ISAKMP:(2004):purging node 1685634131
Sep 27 14:49:58.586: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 27 14:49:58.586: ISAKMP:(2004):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 27 14:50:33.495: ISAKMP:(2005):purging node -603252858
Sep 27 14:50:48.587: ISAKMP:(2004):purging node 668937152
Sep 27 14:52:10.686: ISAKMP (2005): received packet from  XXX.YYY.ZZZ.232  dport 500 sport 500 Global (I) QM_IDLE     
Sep 27 14:52:10.686: ISAKMP: set new node 1426187616 to QM_IDLE     
Sep 27 14:52:10.686: ISAKMP:(2005): processing HASH payload. message ID = 1426187616
Sep 27 14:52:10.686: ISAKMP:(2005): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 1426187616, sa = 0x8880DA68
Sep 27 14:52:10.686: ISAKMP:(2005):deleting node 1426187616 error FALSE reason "Informational (in) state 1"
Sep 27 14:52:10.686: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:52:10.686: ISAKMP:(2005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 27 14:52:10.686: ISAKMP:(2005):DPD/R_U_THERE received from peer  XXX.YYY.ZZZ.232 , sequence 0xEA9AB57
Sep 27 14:52:10.686: ISAKMP: set new node -1804667826 to QM_IDLE     
Sep 27 14:52:10.686: ISAKMP:(2005):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 2490299470
Sep 27 14:52:10.686: ISAKMP:(2005): seq. no 0xEA9AB57
Sep 27 14:52:10.686: ISAKMP:(2005): sending packet to  XXX.YYY.ZZZ.232  my_port 500 peer_port 500 (I) QM_IDLE     
Sep 27 14:52:10.686: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Sep 27 14:52:10.686: ISAKMP:(2005):purging node -1804667826
Sep 27 14:52:10.690: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 27 14:52:10.690: ISAKMP:(2005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 27 14:52:25.042: ISAKMP: set new node 1591249097 to QM_IDLE     
Sep 27 14:52:25.042: ISAKMP:(2004):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 1591249097
Sep 27 14:52:25.042: ISAKMP:(2004): seq. no 0xB5E67F0
Sep 27 14:52:25.042: ISAKMP:(2004): sending packet to  XXX.YYY.ZZZ.232  my_port 500 peer_port 500 (R) QM_IDLE     
Sep 27 14:52:25.042: ISAKMP:(2004):Sending an IKE IPv4 Packet.
Sep 27 14:52:25.042: ISAKMP:(2004):purging node 1591249097
Sep 27 14:52:25.042: ISAKMP:(2004):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 27 14:52:25.042: ISAKMP:(2004):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 27 14:52:25.082: ISAKMP (2004): received packet from  XXX.YYY.ZZZ.232  dport 500 sport 500 Global (R) QM_IDLE     
Sep 27 14:52:25.082: ISAKMP: set new node -264926664 to QM_IDLE     
Sep 27 14:52:25.082: ISAKMP:(2004): processing HASH payload. message ID = 4030040632
Sep 27 14:52:25.082: ISAKMP:(2004): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 4030040632, sa = 0x887C5694
Sep 27 14:52:25.082: ISAKMP:(2004): DPD/R_U_THERE_ACK received from peer  XXX.YYY.ZZZ.232 , sequence 0xB5E67F0
Sep 27 14:52:25.082: ISAKMP:(2004):deleting node -264926664 error FALSE reason "Informational (in) state 1"
Sep 27 14:52:25.082: ISAKMP:(2004):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:52:25.082: ISAKMP:(2004):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 27 14:53:15.083: ISAKMP:(2004):purging node -264926664
Sep 27 14:54:31.541: ISAKMP: set new node 1184933904 to QM_IDLE     
Sep 27 14:54:31.541: ISAKMP:(2005):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 1184933904
Sep 27 14:54:31.541: ISAKMP:(2005): seq. no 0xB5E67F1
Sep 27 14:54:31.541: ISAKMP:(2005): sending packet to  XXX.YYY.ZZZ.232  my_port 500 peer_port 500 (I) QM_IDLE     
Sep 27 14:54:31.541: ISAKMP:(2005):Sending an IKE IPv4 Packet.
Sep 27 14:54:31.541: ISAKMP:(2005):purging node 1184933904
Sep 27 14:54:31.541: ISAKMP:(2005):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 27 14:54:31.541: ISAKMP:(2005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 27 14:54:31.581: ISAKMP (2005): received packet from  XXX.YYY.ZZZ.232  dport 500 sport 500 Global (I) QM_IDLE     
Sep 27 14:54:31.581: ISAKMP: set new node -528980753 to QM_IDLE     
Sep 27 14:54:31.581: ISAKMP:(2005): processing HASH payload. message ID = 3765986543
Sep 27 14:54:31.581: ISAKMP:(2005): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 3765986543, sa = 0x8880DA68
Sep 27 14:54:31.581: ISAKMP:(2005): DPD/R_U_THERE_ACK received from peer  XXX.YYY.ZZZ.232 , sequence 0xB5E67F1
Sep 27 14:54:31.581: ISAKMP:(2005):deleting node -528980753 error FALSE reason "Informational (in) state 1"kmp
Sep 27 14:54:31.581: ISAKMP:(2005):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 27 14:54:31.581: ISAKMP:(2005):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Site2#exit

hi,

thanks for the debugs! however, i don't see any debugs showing any IPSEC SA or IKE phase 2 exchanges.

could you post show run | sec crypto from both site 1 and 2?

As requested

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.28 07:54:43 =~=~=~=~=~=~=~=~=~=~=~=

Site1#show run | sec crypto
crypto pki trustpoint TP-self-signed-BLAHBLAH
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-BLAHBLAH
revocation-check none
rsakeypair TP-self-signed-BLAHBLAH

crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 2
encr 3des
group 2
crypto isakmp key TunnelPassword address Site3.That.Works.195
crypto isakmp key TunnelPassword address Site4.That.Works.242
crypto isakmp key TunnelPassword address Site7.That.Works.167
crypto isakmp key TunnelPassword address Site6.That.Works.126
crypto isakmp key TunnelPassword address THIS.SITE.WORKS.208
crypto isakmp key TunnelPassword address Site7.That.Works.96
crypto isakmp key TunnelPassword address Site2.That.Doesn'tWork.224
crypto isakmp keepalive 300 periodic
crypto isakmp client configuration group VPN_GROUP_WE_SETUP
key VPN_GROUP_PASSWORD
dns DNSServer1 DNSServer2
--More--                            pool SDM_POOL_1
acl 139
save-password
split-dns OurFQDN
max-users 5
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN_GROUP_WE_SETUP
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA7 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA8 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA10 esp-3des esp-sha-hmac
--More--                           crypto ipsec transform-set ESP-3DES-SHA11 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA12 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA13 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA14 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA15 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA16 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA13
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toSite3.That.Works.195
set peer Site3.That.Works.195
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA1
match address 101
crypto map SDM_CMAP_1 3 ipsec-isakmp
description Tunnel toSite7.That.Works.167
set peer Site7.That.Works.167
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA4
match address 111
--More--                           crypto map SDM_CMAP_1 4 ipsec-isakmp
description Tunnel toSite6.That.Works.126
set peer Site6.That.Works.126
set transform-set ESP-3DES-SHA5
match address 122
crypto map SDM_CMAP_1 5 ipsec-isakmp
description Tunnel toTHIS.SITE.WORKS.208
set peer THIS.SITE.WORKS.208
set transform-set ESP-3DES-SHA9
match address 131
crypto map SDM_CMAP_1 6 ipsec-isakmp
description Tunnel toSite7.That.Works.96
set peer Site7.That.Works.96
set transform-set ESP-3DES-SHA11
match address 135
crypto map SDM_CMAP_1 7 ipsec-isakmp
description Tunnel toSite2.That.Doesn'tWork.224
set peer Site2.That.Doesn'tWork.224
set transform-set ESP-3DES-SHA16
match address 146
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
Site1# exit

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.28 07:48:23 =~=~=~=~=~=~=~=~=~=~=~=


Site2#show run | sec crypto
crypto pki trustpoint TP-self-signed-BLAHBLAH
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-BLAHBLAH
revocation-check none
rsakeypair TP-self-signed-BLAHBLAH

crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key TunnelPassword address  XXX.YYY.ZZZ.232
crypto isakmp key TunnelPassword address THIS.SITE.WORKS.208
crypto isakmp keepalive 300 periodic
crypto isakmp client configuration group VPN_GROUP_WE_SETUP
key VPN_GROUP_PASSWORD
dns DNSServer1 DNSServer2
pool SDM_POOL_1
acl 105
save-password
max-users 5
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN_GROUP_WE_SETUP
   client authentication list ciscocp_vpn_xauth_ml_1
--More--                              isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec df-bit clear
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to XXX.YYY.ZZZ.232
set peer  XXX.YYY.ZZZ.232
set transform-set ESP-3DES-SHA
match address 101
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel toTHIS.SITE.WORKS.208
set peer THIS.SITE.WORKS.208
set transform-set ESP-3DES-SHA2
match address 107
crypto map SDM_CMAP_1
Site2# exit

Thanks

hi,

i've noticed that the WAN interface is configured with 'crypto ipsec df-bit clear' for site 1 but not for site 2. i suspect this might your culprit.

try configuring site 2's WAN interface (where the crypto map is applied) with the same command line and test again. could you post site 2's sanitized 'debug ipsec sa' this time?

The Crypto ipsec df-bit clear was applied globally so does appear in the output but further up in the text.

On other sites I did have to apply the command locally as some of the sites did experience the same sort of issues agains this site.

I did apply it specifically to fa4 but with no change.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.28 21:21:51 =~=~=~=~=~=~=~=~=~=~=~=


Site2#show run | sec crypto
crypto pki trustpoint TP-self-signed-BLAHBLAH
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-BLAHBLAH
revocation-check none
rsakeypair TP-self-signed-BLAHBLAH
crypto pki certificate chain TP-self-signed-BLAHBLAH

crypto ctcp port 10000
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key TunnelPassword address XXX.YYY.ZZZ.232
crypto isakmp key TunnelPassword address THIS.SITE.WORKS.208
crypto isakmp keepalive 300 periodic
crypto isakmp client configuration group VPN_GROUP_WE_SETUP
key VPN_GROUP_PASSWORD
dns DNSServer1 DNSServer2
pool SDM_POOL_1
acl 105
save-password
max-users 5
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN_GROUP_WE_SETUP
   client authentication list ciscocp_vpn_xauth_ml_1
--More--            isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toXXX.YYY.ZZZ.232
set peer XXX.YYY.ZZZ.232
set transform-set ESP-3DES-SHA
match address 101
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel toTHIS.SITE.WORKS.208
set peer THIS.SITE.WORKS.208
set transform-set ESP-3DES-SHA2
match address 107
crypto map SDM_CMAP_1
crypto ipsec df-bit clear

Site2#term mon

debug isakmp
Crypto ISAKMP debugging is on
Site2#show      de
Sep 29 03:24:01.775: ISAKMP:(2012):purging node BLAHBLAHbug crypto is psec
Crypto IPSEC debugging is on
Site2#
Sep 29 03:25:30.978: ISAKMP (2009): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE     
Sep 29 03:25:30.978: ISAKMP: set new node -163456653 to QM_IDLE     
Sep 29 03:25:30.982: ISAKMP:(2009): processing HASH payload. message ID = 4131510643
Sep 29 03:25:30.982: ISAKMP:(2009): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 4131510643, sa = 0x8787EA84
Sep 29 03:25:30.982: ISAKMP:(2009):deleting node -163456653 error FALSE reason "Informational (in) state 1"
Sep 29 03:25:30.982: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 29 03:25:30.982: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 29 03:25:30.982: ISAKMP:(2009):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9AEDA
Sep 29 03:25:30.982: ISAKMP: set new node 2018908904 to QM_IDLE     
Sep 29 03:25:30.982: ISAKMP:(2009):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 2018908904
Sep 29 03:25:30.982: ISAKMP:(2009): seq. no 0xEA9AEDA
Sep 29 03:25:30.982: ISAKMP:(2009): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE     
Sep 29 03:25:30.982: ISAKMP:(2009):Sending an IKE IPv4 Packet.
Sep 29 03:25:30.982: ISAKMP:(2009):purging node 2018908904
Sep 29 03:25:30.982: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 29 03:25:30.982: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 29 03:26:01.443: ISAKMP (2010): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE     
Sep 29 03:26:01.443: ISAKMP: set new node 226486783 to QM_IDLE     
Sep 29 03:26:01.443: ISAKMP:(2010): processing HASH payload. message ID = 226486783
Sep 29 03:26:01.443: ISAKMP:(2010): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 226486783, sa = 0x88D27A8C
Sep 29 03:26:01.447: ISAKMP:(2010):deleting node 226486783 error FALSE reason "Informational (in) state 1"
Sep 29 03:26:01.447: ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 29 03:26:01.447: ISAKMP:(2010):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 29 03:26:01.447: ISAKMP:(2010):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9AEDB
Sep 29 03:26:01.447: ISAKMP: set new node -167278245 to QM_IDLE     
Sep 29 03:26:01.447: ISAKMP:(2010):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 4127689051
Sep 29 03:26:01.447: ISAKMP:(2010): seq. no 0xEA9AEDB
Sep 29 03:26:01.447: ISAKMP:(2010): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE     
Sep 29 03:26:01.447: ISAKMP:(2010):Sending an IKE IPv4 Packet.
Sep 29 03:26:01.447: ISAKMP:(2010):purging node -167278245
Sep 29 03:26:01.447: ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 29 03:26:01.447: ISAKMP:(2010):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 29 03:26:20.983: ISAKMP:(2009):purging node -163456653
Sep 29 03:26:23.287: ISAKMP: set new node -1820403052 to QM_IDLE     
Sep 29 03:26:23.287: ISAKMP:(2009):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 2474564244
Sep 29 03:26:23.287: ISAKMP:(2009): seq. no 0xB5E6B73
Sep 29 03:26:23.287: ISAKMP:(2009): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE     
Sep 29 03:26:23.287: ISAKMP:(2009):Sending an IKE IPv4 Packet.
Sep 29 03:26:23.287: ISAKMP:(2009):purging node -1820403052
Sep 29 03:26:23.287: ISAKMP:(2009):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 29 03:26:23.287: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 29 03:26:23.327: ISAKMP (2009): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE     
Sep 29 03:26:23.327: ISAKMP: set new node -1598659514 to QM_IDLE     
Sep 29 03:26:23.327: ISAKMP:(2009): processing HASH payload. message ID = 2696307782
Sep 29 03:26:23.327: ISAKMP:(2009): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 2696307782, sa = 0x8787EA84
Sep 29 03:26:23.327: ISAKMP:(2009): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232, sequence 0xB5E6B73
Sep 29 03:26:23.327: ISAKMP:(2009):deleting node -1598659514 error FALSE reason "Informational (in) state 1"
Sep 29 03:26:23.327: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 29 03:26:23.327: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 29 03:26:51.448: ISAKMP:(2010):purging node 226486783
Sep 29 03:27:06.524: ISAKMP: set new node -50588970 to QM_IDLE     
Sep 29 03:27:06.524: ISAKMP:(2010):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 4244378326
Sep 29 03:27:06.524: ISAKMP:(2010): seq. no 0xB5E6B74
Sep 29 03:27:06.524: ISAKMP:(2010): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE     
Sep 29 03:27:06.524: ISAKMP:(2010):Sending an IKE IPv4 Packet.
Sep 29 03:27:06.524: ISAKMP:(2010):purging node -50588970
Sep 29 03:27:06.524: ISAKMP:(2010):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 29 03:27:06.524: ISAKMP:(2010):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 29 03:27:06.564: ISAKMP (2010): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE     
Sep 29 03:27:06.564: ISAKMP: set new node 1981900763 to QM_IDLE     
Sep 29 03:27:06.564: ISAKMP:(2010): processing HASH payload. message ID = 1981900763
Sep 29 03:27:06.564: ISAKMP:(2010): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 1981900763, sa = 0x88D27A8C
Sep 29 03:27:06.564: ISAKMP:(2010): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232, sequence 0xB5E6B74
Sep 29 03:27:06.564: ISAKMP:(2010):deleting node 1981900763 error FALSE reason "Informational (in) state 1"
Sep 29 03:27:06.564: ISAKMP:(2010):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 29 03:27:06.564: ISAKMP:(2010):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 29 03:27:13.328: ISAKMP:(2009):purging node -1598659514
Sep 29 03:27:56.570: ISAKMP:(2010):purging node 1981900763
Sep 29 03:28:06.582: ISAKMP (2012): received packet from THIS.SITE.WORKS.208 dport 500 sport 500 Global (R) QM_IDLE     
Sep 29 03:28:06.582: ISAKMP: set new node -1450327841 to QM_IDLE     
Sep 29 03:28:06.582: ISAKMP:(2012): processing HASH payload. message ID = 2844639455
Sep 29 03:28:06.582: ISAKMP:(2012): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 2844639455, sa = 0x887C5694
Sep 29 03:28:06.582: ISAKMP:(2012):deleting node -1450327841 error FALSE reason "Informational (in) state 1"
Sep 29 03:28:06.582: ISAKMP:(2012):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 29 03:28:06.582: ISAKMP:(2012):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 29 03:28:06.582: ISAKMP:(2012):DPD/R_U_THERE received from peer THIS.SITE.WORKS.208, sequence 0x719EED0A
Sep 29 03:28:06.582: ISAKMP: set new node 1754192287 to QM_IDLE     
Sep 29 03:28:06.582: ISAKMP:(2012):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 1754192287
Sep 29 03:28:06.582: ISAKMP:(2012): seq. no 0x719EED0A
Sep 29 03:28:06.582: ISAKMP:(2012): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (R) QM_IDLE     
Sep 29 03:28:06.582: ISAKMP:(2012):Sending an IKE IPv4 Packet.
Sep 29 03:28:06.582: ISAKMP:(2012):purging node 1754192287
Sep 29 03:28:06.582: ISAKMP:(2012):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 29 03:28:06.582: ISAKMP:(2012):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 29 03:28:56.583: ISAKMP:(2012):purging node -1450327841

Sep 29 03:29:50.973: %SYS-5-CONFIG_I: Configured from console by Administrator on vty0 (10.60.141.158)
Sep 29 03:30:18.781: ISAKMP (2009): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE     
Sep 29 03:30:18.781: ISAKMP: set new node 1381376361 to QM_IDLE     
Sep 29 03:30:18.781: ISAKMP:(2009): processing HASH payload. message ID = 1381376361
Sep 29 03:30:18.781: ISAKMP:(2009): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 1381376361, sa = 0x8787EA84
Sep 29 03:30:18.781: ISAKMP:(2009):deleting node 1381376361 error FALSE reason "Informational (in) state 1"
Sep 29 03:30:18.781: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 29 03:30:18.781: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 29 03:30:18.785: ISAKMP:(2009):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9AEDC
Sep 29 03:30:18.785: ISAKMP: set new node 1361150104 to QM_IDLE     
Sep 29 03:30:18.785: ISAKMP:(2009):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 1361150104
Sep 29 03:30:18.785: ISAKMP:(2009): seq. no 0xEA9AEDC
Sep 29 03:30:18.785: ISAKMP:(2009): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE     
Sep 29 03:30:18.785: ISAKMP:(2009):Sending an IKE IPv4 Packet.
Sep 29 03:30:18.785: ISAKMP:(2009):purging node 1361150104
Sep 29 03:30:18.785: ISAKMP:(2009):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 29 03:30:18.785: ISAKMP:(2009):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Site2#

-------------------

There doesn't seem to be much debugging unless I start the pings from Site1.

It really feels that this traffic is not attempting to try to route up the tunnel but rather trying to go out the default GW.

Thanks again for your continued help.

      

Hi,

Thanks for the update! We can eliminate the said command line for this issue.

I've noticed you kept changing the crypto ACL.

Could you post show ip interface brief and show access-list from both Site 1 and 2?

Sent from Cisco Technical Support iPad App

as request.  I am sorry I wasn't aware I was changing the ACL. I have been trying a few things from the net but wasn't aware I was affecting that part of the config.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.29 10:17:48 =~=~=~=~=~=~=~=~=~=~=~=


Using keyboard-interactive authentication.


Site1#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              unassigned      YES unset  down                  down   
FastEthernet1              unassigned      YES unset  down                  down   
FastEthernet2              unassigned      YES unset  up                    up     
FastEthernet3              unassigned      YES unset  up                    up     
FastEthernet4              XXX.YYY.ZZZ.232  YES NVRAM  up                    up     
NVI0                       XXX.YYY.ZZZ.232  YES unset  up                    up     
Virtual-Access1            unassigned      YES unset  down                  down   
Virtual-Template1          XXX.YYY.ZZZ.232  YES unset  up                    down   
Vlan1                      172.16.1.254    YES NVRAM  up                    up     
Site1#show access-list
Standard IP access list 1
    10 permit 172.16.1.0, wildcard bits 0.0.0.255
Extended IP access list 100
    10 permit ip host 255.255.255.255 any
    20 permit ip 127.0.0.0 0.255.255.255 any
    30 permit ip XXX.0.0.0 0.255.255.255 any
    40 permit ip XXX.YYY.ZZZ.0 0.0.0.255 any
Extended IP access list 101
    10 permit ip 172.16.1.0 0.0.0.255 10.10.10.0 0.0.0.255 (21980 matches)
Extended IP access list 102
    10 permit ip host Site3.That.Works.195 any (46 matches)
    20 permit ip host NotSureonThisSite.That.Works.242 any
    30 permit ip host Site4.That.Works.242 any
    40 permit ip host Not.Sure.About.Thisone.54 any
    50 permit ip host Site7.That.Works.167 any (40 matches)
    60 permit ip host Site6.That.Works.126 any (183 matches)
    70 permit ip host THIS.SITE.WORKS.208 any (401 matches)
    80 permit ip host Site7.That.Works.96 any (1512 matches)
    90 permit ip host TTT.UUU.VVV.224 any (1756 matches)
Extended IP access list 103
    10 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255 (2 matches)
Extended IP access list 104
    10 deny ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255 (383730 matches)
    20 deny ip 172.16.1.0 0.0.0.255 10.41.2.0 0.0.0.255 (1837 matches)
    30 deny ip 172.16.1.0 0.0.0.255 172.27.0.0 0.0.0.255 (31743 matches)
    40 deny ip 172.16.1.0 0.0.0.255 10.60.56.0 0.0.0.255 (3047 matches)
    50 deny ip 172.16.1.0 0.0.0.255 10.60.53.0 0.0.0.255 (2488 matches)
    60 deny ip 172.16.1.0 0.0.0.255 10.10.10.0 0.0.0.255 (19687 matches)
    70 permit ip 172.16.1.0 0.0.0.255 any (60542 matches)
Extended IP access list 105
    10 permit ip 172.16.1.0 0.0.0.255 10.60.145.0 0.0.0.255
Extended IP access list 106
    10 permit ip 10.60.145.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 107
    10 permit ip 172.16.1.0 0.0.0.255 10.60.145.0 0.0.0.255
Extended IP access list 108
    10 permit ip 10.60.145.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 109
    10 permit ip 172.16.1.0 0.0.0.255 10.60.56.0 0.0.0.255
Extended IP access list 110
    10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255 (2 matches)
    20 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 111
    10 permit ip 172.16.1.0 0.0.0.255 10.60.53.0 0.0.0.255 (7910 matches)
Extended IP access list 112
    10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255 (1 match)
Extended IP access list 113
    10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 114
    10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255 (347084 matches)
    40 permit ip 10.60.145.0 0.0.0.255 172.16.1.0 0.0.0.255
    50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 115
    10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.0.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 116
    10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 117
    10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 118
    10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 119
    10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 120
    10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 121
    10 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 122
    10 permit ip 172.16.1.0 0.0.0.255 10.60.56.0 0.0.0.255 (8094 matches)
Extended IP access list 123
    10 permit ip 10.30.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 124
    10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 125
    10 permit ip 172.16.1.0 0.0.0.255 172.27.0.0 0.0.0.255
Extended IP access list 126
    10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
    40 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255 (6 matches)
Extended IP access list 127
    10 permit ip 172.16.1.0 0.0.0.255 172.27.0.0 0.0.0.255
Extended IP access list 128
    10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
    40 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 129
    10 permit ip 172.16.1.0 0.0.0.255 172.27.0.0 0.0.0.255
Extended IP access list 130
    10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
    40 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 131
    10 permit ip 172.16.1.0 0.0.0.255 172.27.0.0 0.0.0.255 (60912 matches)
Extended IP access list 132
    10 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    40 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 133
    10 permit ip 172.16.1.0 0.0.0.255 10.41.2.0 0.0.0.255
Extended IP access list 134
    10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255 (3 matches)
    40 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
    50 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 135
    10 permit ip 172.16.1.0 0.0.0.255 10.41.2.0 0.0.0.255 (3724 matches)
Extended IP access list 136
    10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
    40 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
    50 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 137
    10 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
Extended IP access list 138
    10 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
    40 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
    50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
    60 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 139
    10 permit ip 172.16.1.0 0.0.0.255 any
Extended IP access list 140
    10 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
Extended IP access list 141
    10 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    40 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
    60 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 142
    10 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
Extended IP access list 143
    10 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    40 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
    60 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 144
    10 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    40 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
    60 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 145
    10 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    40 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
    60 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 146
    10 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255 (790099 matches)
Extended IP access list 147
    10 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    40 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
    60 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list 148
    10 permit ip 10.41.2.0 0.0.0.255 172.16.1.0 0.0.0.255
    20 permit ip 172.27.0.0 0.0.0.255 172.16.1.0 0.0.0.255
    30 permit ip 10.60.56.0 0.0.0.255 172.16.1.0 0.0.0.255
    40 permit ip 10.60.53.0 0.0.0.255 172.16.1.0 0.0.0.255
    50 permit ip 10.10.10.0 0.0.0.255 172.16.1.0 0.0.0.255
    60 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255
Extended IP access list SDM_AH
    10 permit ahp any any
Extended IP access list SDM_ESP
    10 permit esp any any (238 matches)
Extended IP access list SDM_GRE
    10 permit gre any any
Extended IP access list SDM_HTTP
    10 permit tcp any any eq www
Extended IP access list SDM_HTTPS
    10 permit tcp any any eq 443
Extended IP access list SDM_IP
    10 permit ip any any
Extended IP access list SDM_SHELL
    10 permit tcp any any eq cmd
Extended IP access list SDM_SSH
    10 permit tcp any any eq 22
Site1# exit

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.29 10:15:43 =~=~=~=~=~=~=~=~=~=~=~=

Using keyboard-interactive authentication.
Password:

Site2#show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              unassigned      YES unset  up                    up     
FastEthernet1              unassigned      YES unset  down                  down   
FastEthernet2              unassigned      YES unset  up                    up     
FastEthernet3              unassigned      YES unset  up                    up     
FastEthernet4              TTT.UUU.VVV.224  YES NVRAM  up                    up     
NVI0                       TTT.UUU.VVV.224  YES unset  up                    up     
Virtual-Template1          TTT.UUU.VVV.224  YES unset  up                    down   
Vlan1                      10.60.141.30    YES NVRAM  up                    up     
Site2#show access-list
Standard IP access list 1
    10 permit 10.60.141.0, wildcard bits 0.0.0.255
Extended IP access list 100
    10 permit ip host 255.255.255.255 any
    20 permit ip 127.0.0.0 0.255.255.255 any
    30 permit ip TTT.UUU.VVV.0 0.0.0.255 any
Extended IP access list 101
    10 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255 (367758 matches)
Extended IP access list 102
    10 permit ip host XXX.YYY.ZZZ.232 any (1258 matches)
    20 permit ip host THIS.SITE.WORKS.208 any (107 matches)
Extended IP access list 103
    10 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255 (17 matches)
Extended IP access list 104
    10 deny ip 10.60.141.0 0.0.0.255 172.27.0.0 0.0.0.255 (257 matches)
    20 deny ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255 (367767 matches)
    30 permit ip 10.60.141.0 0.0.0.255 any (12854 matches)
Extended IP access list 105
    10 permit ip 10.60.141.0 0.0.0.255 any
Extended IP access list 106
    10 permit tcp any any eq 10000
Extended IP access list 107
    10 permit ip 10.60.141.0 0.0.0.255 172.27.0.0 0.0.0.255 (257 matches)
Extended IP access list 108
    10 permit ip 172.27.0.0 0.0.0.255 10.60.141.0 0.0.0.255 (7 matches)
    20 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255
Extended IP access list SDM_AH
    10 permit ahp any any
Extended IP access list SDM_ESP
    10 permit esp any any
Extended IP access list SDM_GRE
    10 permit gre any any
Extended IP access list SDM_IP
    10 permit ip any any (1269 matches)
Site2# exit

Thanks for your continued help.

hi,

based from your ACL and latest show run, i think you've correctly setup your VPN policies (sites 1 and 2) and already got some ACL hits.

site 1:

crypto map SDM_CMAP_1 7 ipsec-isakmp

set peer Site2.That.Doesn'tWork.224

match address 146 

Extended IP access list 146

    10 permit ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255 (790099 matches) 

route-map SDM_RMAP_1 permit 1

match ip address 104

Extended IP access list 104

deny ip 172.16.1.0 0.0.0.255 10.60.141.0 0.0.0.255

70 permit ip 172.16.1.0 0.0.0.255 any (60542 matches)

----

Site 2:

crypto map SDM_CMAP_1 1 ipsec-isakmp

set peer  XXX.YYY.ZZZ.232

match address 101

Extended IP access list 101

    10 permit ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255 (367758 matches) 

route-map SDM_RMAP_1 permit 1

match ip address 104

Extended IP access list 104

    10 deny ip 10.60.141.0 0.0.0.255 172.27.0.0 0.0.0.255 (257 matches)

    20 deny ip 10.60.141.0 0.0.0.255 172.16.1.0 0.0.0.255 (367767 matches)

    30 permit ip 10.60.141.0 0.0.0.255 any (12854 matches)

why don't you use the CCP's VPN diagnostics to  help you troubleshoot and inform you what needs to be change. i'm also still curious and waiting though for the IPSEC SA debug output (debug crypto ipsec sa).

Good day

I have been running the VPN diagnostics and it consistantly says

A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets. 1)Contact your ISP/Administrator to resolve this issue. 2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.

I had this same info on other sites I configured to tunnel to Site 1 but the command worked on them with no issues.

I had been running the debug crypto ipsec but there were no results displayed.

I ran it again today and still no ipsec debugs.

Here is the output of todays debugs.

Thanks for your continued help.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.09.30 13:41:58 =~=~=~=~=~=~=~=~=~=~=~=
----------------------------------------------------------------

Using keyboard-interactive authentication.

Site2#term mon
Site2#show crypto is
Site2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
TTT.UUU.VVV.224  XXX.YYY.ZZZ.232  QM_IDLE           2015 ACTIVE
XXX.YYY.ZZZ.232  TTT.UUU.VVV.224  QM_IDLE           2016 ACTIVE

IPv6 Crypto ISAKMP SA

Site2#show crypto isakmp

interface: FastEthernet4
    Crypto map tag: SDM_CMAP_1, local addr TTT.UUU.VVV.224

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.60.141.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.16.1.0/255.255.255.0/0/0)
   current_peer XXX.YYY.ZZZ.232 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 94752, #pkts encrypt: 94752, #pkts digest: 94752
    #pkts decaps: 8133, #pkts decrypt: 8133, #pkts verify: 8133
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: TTT.UUU.VVV.224, remote crypto endpt.: XXX.YYY.ZZZ.232
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x46A7F1F4(1185411572)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x2B148960(722766176)
--More--
                transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 71, flow_id: Onboard VPN:71, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4373272/3094)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x46A7F1F4(1185411572)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 72, flow_id: Onboard VPN:72, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4373227/3094)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)
--More--        
     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.60.141.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.27.0.0/255.255.255.0/0/0)
   current_peer THIS.SITE.WORKS.208 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 253, #pkts encrypt: 253, #pkts digest: 253
    #pkts decaps: 273, #pkts decrypt: 273, #pkts verify: 273
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: TTT.UUU.VVV.224, remote crypto endpt.: THIS.SITE.WORKS.208
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
--More--        
     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:
Site2# debug cry
Site2# debug crypto is
Site2# debug crypto isakmp ?
  aaa    ISAKMP AAA
  error  ISAKMP Errors
  ha     ISAKMP High Availability
 

Site2# debug crypto isakmp
Crypto ISAKMP debugging is on
Site2# debug crypto isakmp        ipsec
Sep 30 19:49:07.299: ISAKMP:(2016):purging node -1638821314?
  client      Client Debug
  error       IPSEC errors
  ha          IPSEC High Availability
  hw-request  IPSEC hw-request
  message     IPSEC message
  metadata    CTS metadata
  states      IPSEC states
 

Site2# debug crypto ipsec
Crypto IPSEC debugging is on
Site2#
Sep 30 19:49:35.712: ISAKMP:(2016):purging node 278770064
Sep 30 19:52:07.868: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= TTT.UUU.VVV.224:500, remote= THIS.SITE.WORKS.208:500,
    local_proxy= 10.60.141.0/255.255.255.0/256/0,
    remote_proxy= 172.27.0.0/255.255.255.0/256/0,
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Sep 30 19:52:07.868: ISAKMP:(0): SA request profile is (NULL)
Sep 30 19:52:07.868: ISAKMP: Created a peer struct for THIS.SITE.WORKS.208, peer port 500
Sep 30 19:52:07.868: ISAKMP: New peer created peer = 0x89ECDE74 peer_handle = 0x8000000D
Sep 30 19:52:07.868: ISAKMP: Locking peer struct 0x89ECDE74, refcount 1 for isakmp_initiator
Sep 30 19:52:07.868: ISAKMP: local port 500, remote port 500
Sep 30 19:52:07.868: ISAKMP: set new node 0 to QM_IDLE     
Sep 30 19:52:07.868: ISAKMP:(0):insert sa successfully sa = 88D8FC14
Sep 30 19:52:07.868: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Sep 30 19:52:07.872: ISAKMP:(0):found peer pre-shared key matching THIS.SITE.WORKS.208
Sep 30 19:52:07.872: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Sep 30 19:52:07.872: ISAKMP:(0): constructed NAT-T vendor-07 ID
Sep 30 19:52:07.872: ISAKMP:(0): constructed NAT-T vendor-03 ID
Sep 30 19:52:07.872: ISAKMP:(0): constructed NAT-T vendor-02 ID
Sep 30 19:52:07.872: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Sep 30 19:52:07.872: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Sep 30 19:52:07.872: ISAKMP:(0): beginning Main Mode exchange
Sep 30 19:52:07.872: ISAKMP:(0): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 30 19:52:07.872: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 30 19:52:17.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 30 19:52:17.872: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Sep 30 19:52:17.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Sep 30 19:52:17.872: ISAKMP:(0): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 30 19:52:17.872: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 30 19:52:27.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 30 19:52:27.872: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Sep 30 19:52:27.872: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Sep 30 19:52:27.872: ISAKMP:(0): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 30 19:52:27.872: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 30 19:52:37.869: IPSEC(key_engine): request timer fired: count = 1,
  (identity) local= TTT.UUU.VVV.224:0, remote= THIS.SITE.WORKS.208:0,
    local_proxy= 10.60.141.0/255.255.255.0/256/0,
    remote_proxy= 172.27.0.0/255.255.255.0/256/0
Sep 30 19:52:37.869: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= TTT.UUU.VVV.224:500, remote= THIS.SITE.WORKS.208:500,
    local_proxy= 10.60.141.0/255.255.255.0/256/0,
    remote_proxy= 172.27.0.0/255.255.255.0/256/0,
    protocol= ESP, transform= esp-3des esp-sha-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0
Sep 30 19:52:37.869: ISAKMP: set new node 0 to QM_IDLE     
Sep 30 19:52:37.869: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local TTT.UUU.VVV.224, remote THIS.SITE.WORKS.208)
Sep 30 19:52:37.869: ISAKMP: Error while processing SA request: Failed to initialize SA
Sep 30 19:52:37.869: ISAKMP: Error while processing KMI message 0, error 2.
Sep 30 19:52:37.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 30 19:52:37.873: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Sep 30 19:52:37.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Sep 30 19:52:37.873: ISAKMP:(0): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 30 19:52:37.873: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 30 19:52:43.689: ISAKMP (2015): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE     
Sep 30 19:52:43.689: ISAKMP: set new node -2093195178 to QM_IDLE     
Sep 30 19:52:43.689: ISAKMP:(2015): processing HASH payload. message ID = 2201772118
Sep 30 19:52:43.689: ISAKMP:(2015): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 2201772118, sa = 0x887C5694
Sep 30 19:52:43.689: ISAKMP:(2015):deleting node -2093195178 error FALSE reason "Informational (in) state 1"
Sep 30 19:52:43.689: ISAKMP:(2015):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:52:43.689: ISAKMP:(2015):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:52:43.689: ISAKMP:(2015):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9B2BE
Sep 30 19:52:43.693: ISAKMP: set new node 727941331 to QM_IDLE     
Sep 30 19:52:43.693: ISAKMP:(2015):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 727941331
Sep 30 19:52:43.693: ISAKMP:(2015): seq. no 0xEA9B2BE
Sep 30 19:52:43.693: ISAKMP:(2015): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE     
Sep 30 19:52:43.693: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 30 19:52:43.693: ISAKMP:(2015):purging node 727941331
Sep 30 19:52:43.693: ISAKMP:(2015):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 30 19:52:43.693: ISAKMP:(2015):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:52:47.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 30 19:52:47.873: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Sep 30 19:52:47.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Sep 30 19:52:47.873: ISAKMP:(0): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 30 19:52:47.873: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 30 19:52:48.377: ISAKMP: set new node 923998259 to QM_IDLE     
Sep 30 19:52:48.377: ISAKMP:(2015):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 923998259
Sep 30 19:52:48.377: ISAKMP:(2015): seq. no 0xB5E6F57
Sep 30 19:52:48.377: ISAKMP:(2015): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE     
Sep 30 19:52:48.377: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 30 19:52:48.377: ISAKMP:(2015):purging node 923998259
Sep 30 19:52:48.377: ISAKMP:(2015):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 30 19:52:48.377: ISAKMP:(2015):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:52:48.417: ISAKMP (2015): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE     
Sep 30 19:52:48.417: ISAKMP: set new node -709724728 to QM_IDLE     
Sep 30 19:52:48.417: ISAKMP:(2015): processing HASH payload. message ID = 3585242568
Sep 30 19:52:48.417: ISAKMP:(2015): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 3585242568, sa = 0x887C5694
Sep 30 19:52:48.417: ISAKMP:(2015): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232, sequence 0xB5E6F57
Sep 30 19:52:48.417: ISAKMP:(2015):deleting node -709724728 error FALSE reason "Informational (in) state 1"
Sep 30 19:52:48.417: ISAKMP:(2015):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:52:48.417: ISAKMP:(2015):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:52:57.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 30 19:52:57.873: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Sep 30 19:52:57.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Sep 30 19:52:57.873: ISAKMP:(0): sending packet to THIS.SITE.WORKS.208 my_port 500 peer_port 500 (I) MM_NO_STATE
Sep 30 19:52:57.873: ISAKMP:(0):Sending an IKE IPv4 Packet.
Sep 30 19:53:07.869: IPSEC(key_engine): request timer fired: count = 2,
  (identity) local= TTT.UUU.VVV.224:0, remote= THIS.SITE.WORKS.208:0,
    local_proxy= 10.60.141.0/255.255.255.0/256/0,
    remote_proxy= 172.27.0.0/255.255.255.0/256/0
Sep 30 19:53:07.873: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Sep 30 19:53:07.873: ISAKMP:(0):peer does not do paranoid keepalives.

Sep 30 19:53:07.873: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer THIS.SITE.WORKS.208)
Sep 30 19:53:07.873: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer THIS.SITE.WORKS.208)
Sep 30 19:53:07.873: ISAKMP: Unlocking peer struct 0x89ECDE74 for isadb_mark_sa_deleted(), count 0
Sep 30 19:53:07.873: ISAKMP: Deleting peer node by peer_reap for THIS.SITE.WORKS.208: 89ECDE74
Sep 30 19:53:07.873: ISAKMP:(0):deleting node -899971120 error FALSE reason "IKE deleted"
Sep 30 19:53:07.873: ISAKMP:(0):deleting node -966086895 error FALSE reason "IKE deleted"
Sep 30 19:53:07.873: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Sep 30 19:53:07.873: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

Sep 30 19:53:07.873: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Sep 30 19:53:14.686: ISAKMP: set new node -1006717167 to QM_IDLE     
Sep 30 19:53:14.686: ISAKMP:(2016):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 3288250129
Sep 30 19:53:14.686: ISAKMP:(2016): seq. no 0xB5E6F58
Sep 30 19:53:14.686: ISAKMP:(2016): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE     
Sep 30 19:53:14.686: ISAKMP:(2016):Sending an IKE IPv4 Packet.
Sep 30 19:53:14.686: ISAKMP:(2016):purging node -1006717167
Sep 30 19:53:14.686: ISAKMP:(2016):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 30 19:53:14.686: ISAKMP:(2016):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:53:14.726: ISAKMP (2016): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE     
Sep 30 19:53:14.726: ISAKMP: set new node -1460159407 to QM_IDLE     
Sep 30 19:53:14.726: ISAKMP:(2016): processing HASH payload. message ID = 2834807889
Sep 30 19:53:14.726: ISAKMP:(2016): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 2834807889, sa = 0x88D27A8C
Sep 30 19:53:14.726: ISAKMP:(2016): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232, sequence 0xB5E6F58
Sep 30 19:53:14.726: ISAKMP:(2016):deleting node -1460159407 error FALSE reason "Informational (in) state 1"
Sep 30 19:53:14.726: ISAKMP:(2016):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:53:14.726: ISAKMP:(2016):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:53:32.842: ISAKMP (2016): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE     
Sep 30 19:53:32.842: ISAKMP: set new node -830862528 to QM_IDLE     
Sep 30 19:53:32.842: ISAKMP:(2016): processing HASH payload. message ID = 3464104768
Sep 30 19:53:32.842: ISAKMP:(2016): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 3464104768, sa = 0x88D27A8C
Sep 30 19:53:32.842: ISAKMP:(2016):deleting node -830862528 error FALSE reason "Informational (in) state 1"
Sep 30 19:53:32.842: ISAKMP:(2016):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:53:32.842: ISAKMP:(2016):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:53:32.842: ISAKMP:(2016):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9B2BF
Sep 30 19:53:32.842: ISAKMP: set new node 396837477 to QM_IDLE     
Sep 30 19:53:32.842: ISAKMP:(2016):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 396837477
Sep 30 19:53:32.846: ISAKMP:(2016): seq. no 0xEA9B2BF
Sep 30 19:53:32.846: ISAKMP:(2016): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE     
Sep 30 19:53:32.846: ISAKMP:(2016):Sending an IKE IPv4 Packet.
Sep 30 19:53:32.846: ISAKMP:(2016):purging node 396837477
Sep 30 19:53:32.846: ISAKMP:(2016):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 30 19:53:32.846: ISAKMP:(2016):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:53:33.690: ISAKMP:(2015):purging node -2093195178
Sep 30 19:53:38.418: ISAKMP:(2015):purging node -709724728
Sep 30 19:53:57.875: ISAKMP:(0):purging node -899971120
Sep 30 19:53:57.875: ISAKMP:(0):purging node -966086895
Sep 30 19:54:04.727: ISAKMP:(2016):purging node -1460159407
Sep 30 19:54:07.875: ISAKMP:(0):purging SA., sa=88D8FC14, delme=88D8FC14
Sep 30 19:54:22.843: ISAKMP:(2016):purging node -830862528
Sep 30 19:57:38.257: ISAKMP (2015): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE     
Sep 30 19:57:38.257: ISAKMP: set new node -1394998553 to QM_IDLE     
Sep 30 19:57:38.257: ISAKMP:(2015): processing HASH payload. message ID = 2899968743
Sep 30 19:57:38.257: ISAKMP:(2015): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 2899968743, sa = 0x887C5694
Sep 30 19:57:38.257: ISAKMP:(2015):deleting node -1394998553 error FALSE reason "Informational (in) state 1"
Sep 30 19:57:38.257: ISAKMP:(2015):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:57:38.257: ISAKMP:(2015):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:57:38.257: ISAKMP:(2015):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9B2C0
Sep 30 19:57:38.257: ISAKMP: set new node -1370278299 to QM_IDLE     
Sep 30 19:57:38.257: ISAKMP:(2015):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 2924688997
Sep 30 19:57:38.257: ISAKMP:(2015): seq. no 0xEA9B2C0
Sep 30 19:57:38.261: ISAKMP:(2015): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE     
Sep 30 19:57:38.261: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 30 19:57:38.261: ISAKMP:(2015):purging node -1370278299
Sep 30 19:57:38.261: ISAKMP:(2015):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 30 19:57:38.261: ISAKMP:(2015):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:57:40.093: ISAKMP: set new node 1761811813 to QM_IDLE     
Sep 30 19:57:40.093: ISAKMP:(2015):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 1761811813
Sep 30 19:57:40.093: ISAKMP:(2015): seq. no 0xB5E6F59
Sep 30 19:57:40.093: ISAKMP:(2015): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (R) QM_IDLE     
Sep 30 19:57:40.093: ISAKMP:(2015):Sending an IKE IPv4 Packet.
Sep 30 19:57:40.093: ISAKMP:(2015):purging node 1761811813
Sep 30 19:57:40.093: ISAKMP:(2015):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 30 19:57:40.093: ISAKMP:(2015):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:57:40.133: ISAKMP (2015): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (R) QM_IDLE     
Sep 30 19:57:40.133: ISAKMP: set new node -1986599737 to QM_IDLE     
Sep 30 19:57:40.133: ISAKMP:(2015): processing HASH payload. message ID = 2308367559
Sep 30 19:57:40.133: ISAKMP:(2015): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 2308367559, sa = 0x887C5694
Sep 30 19:57:40.133: ISAKMP:(2015): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232, sequence 0xB5E6F59
Sep 30 19:57:40.133: ISAKMP:(2015):deleting node -1986599737 error FALSE reason "Informational (in) state 1"
Sep 30 19:57:40.133: ISAKMP:(2015):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:57:40.133: ISAKMP:(2015):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:58:12.413: ISAKMP: set new node 775548616 to QM_IDLE     
Sep 30 19:58:12.413: ISAKMP:(2016):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 2270256336, message ID = 775548616
Sep 30 19:58:12.413: ISAKMP:(2016): seq. no 0xB5E6F5A
Sep 30 19:58:12.413: ISAKMP:(2016): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE     
Sep 30 19:58:12.413: ISAKMP:(2016):Sending an IKE IPv4 Packet.
Sep 30 19:58:12.413: ISAKMP:(2016):purging node 775548616
Sep 30 19:58:12.413: ISAKMP:(2016):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_IM_ALIVE
Sep 30 19:58:12.413: ISAKMP:(2016):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:58:12.453: ISAKMP (2016): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE     
Sep 30 19:58:12.453: ISAKMP: set new node -1114220985 to QM_IDLE     
Sep 30 19:58:12.453: ISAKMP:(2016): processing HASH payload. message ID = 3180746311
Sep 30 19:58:12.453: ISAKMP:(2016): processing NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 0, message ID = 3180746311, sa = 0x88D27A8C
Sep 30 19:58:12.453: ISAKMP:(2016): DPD/R_U_THERE_ACK received from peer XXX.YYY.ZZZ.232, sequence 0xB5E6F5A
Sep 30 19:58:12.453: ISAKMP:(2016):deleting node -1114220985 error FALSE reason "Informational (in) state 1"
Sep 30 19:58:12.457: ISAKMP:(2016):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:58:12.457: ISAKMP:(2016):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:58:28.258: ISAKMP:(2015):purging node -1394998553
Sep 30 19:58:29.050: ISAKMP (2016): received packet from XXX.YYY.ZZZ.232 dport 500 sport 500 Global (I) QM_IDLE     
Sep 30 19:58:29.050: ISAKMP: set new node -1513448807 to QM_IDLE     
Sep 30 19:58:29.050: ISAKMP:(2016): processing HASH payload. message ID = 2781518489
Sep 30 19:58:29.050: ISAKMP:(2016): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = 2781518489, sa = 0x88D27A8C
Sep 30 19:58:29.050: ISAKMP:(2016):deleting node -1513448807 error FALSE reason "Informational (in) state 1"
Sep 30 19:58:29.050: ISAKMP:(2016):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
Sep 30 19:58:29.050: ISAKMP:(2016):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:58:29.050: ISAKMP:(2016):DPD/R_U_THERE received from peer XXX.YYY.ZZZ.232, sequence 0xEA9B2C1
Sep 30 19:58:29.050: ISAKMP: set new node -1856552293 to QM_IDLE     
Sep 30 19:58:29.054: ISAKMP:(2016):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 2270256376, message ID = 2438415003
Sep 30 19:58:29.054: ISAKMP:(2016): seq. no 0xEA9B2C1
Sep 30 19:58:29.054: ISAKMP:(2016): sending packet to XXX.YYY.ZZZ.232 my_port 500 peer_port 500 (I) QM_IDLE     
Sep 30 19:58:29.054: ISAKMP:(2016):Sending an IKE IPv4 Packet.
Sep 30 19:58:29.054: ISAKMP:(2016):purging node -1856552293
Sep 30 19:58:29.054: ISAKMP:(2016):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
Sep 30 19:58:29.054: ISAKMP:(2016):Old State = IKE_P1_COMPLETE  New State = IKE_P1_COMPLETE

Sep 30 19:58:30.134: ISAKMP:(2015):purging node -1986599737
Sep 30 19:59:02.459: ISAKMP:(2016):purging node -1114220985
Sep 30 19:59:19.051: ISAKMP:(2016):purging node -1513448807 debug crypto ipsec ndebug crypto ipsec odebug crypto ipsec  debug crypto ipsec
Crypto IPSEC debugging is off
Crypto IPSEC (detailed) debugging is off
Site2# no debug crypto ipsec debug crypto ipsec    sakmp                n debug crypto isakmp o debug crypto isakmp   debug crypto isakmp
Crypto ISAKMP debugging is off
Site2#cont   f t
Enter configuration commands, one per line.  End with CNTL/Z.
Site2(config)#int fa4
Site2(config-if)#crypto ipsec df-bit clear
Site2(config-if)#exit
Site2(config)#exit
Site2#
Sep 30 20:01:33.779: %SYS-5-CONFIG_I: Configured from console by Administrator on vty0 (10.60.141.158)
Sep 30 20:05:02.328: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Template1, changed state to down
Site2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

Site2#
Sep 30 20:08:06.553: %SYS-5-CONFIG_I: Configured from console by Administrator on vty0 (10.60.141.158)
Sep 30 20:08:28.102: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
Sep 30 20:08:28.278: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to up
Sep 30 20:08:40.274: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access1, changed state to down
exit

hi,

thanks for the update! could you play around with the values for these commands and try again?

vlan 1

ip tcp adjust-mss 1300

int f4

ip mtu 1440

Good evening

I tried setting the mtu on int fa4 down as low as 1300 in several resizing steps.  Basically down at 1300 MTU the internet speed was unusable but with no change.

on Vlan1 I played with the adjust-mss settings but again with no change.

I will be out of town for the next few days so likely won't be able to troubleshoot much Monday and Tuesday.

Have a good one and thanks again.