Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1556
Views
0
Helpful
17
Replies

Site to Site tunnel, getting an error

Go to solution
shall
Level 1
Level 1

‎03-09-2015 05:01 PM - edited ‎03-07-2019 11:01 PM

I am setting up a site to site VPN with a 881 and a PIX box.  On the 881 I am getting an error when I test the VPN through CCP.  

 

"The peer must be routed through the crypto map interface.  The Following peer(s) do not a have a routing entry in the routing table

1) 66.66.66.66

 

Where do I add the route?  In IPSec-->IPSec Policies (Crypto Map Sets) I see the correct peer in there.  What am I missing?

Labels:
0 Helpful
17 Replies 17

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Richard Burts

‎03-11-2015 06:58 AM

Rick

While I do not object to trying that as an experiment I would be extremely surprised if that were an issue.

[edit] And the fact that the original poster says that he can ping the peer address is one point that indicates that the default route is working ok

Please do me the favour of reading my posts carefully before you post. I did not say for one minute that changing the default route was going to fix the VPN issue I just suggested it to tidy up the configuration.

I am not an expert on anything but I have enough knowledge to understand that if the peer can be pinged then obviously the default route is working.

I have absolutely no problem when I post something inaccurate and somebody corrects me and am usually the first to admit my mistake but the edit you wrote seems to be suggesting I don't understand basic routing.

Perhaps instead of "doubt" I should have said it "won't" make a difference but I would have thought from the amount of time we have both been posting on these forums you would have known what I was saying.

Then again perhaps not.

Jon

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Jon Marshall

‎03-14-2015 07:34 PM

Jon

 

I am sorry that my response has so upset you. Rest assured that I regard you as a valued colleague and do read your posts quite carefully. In this case we seem to have a difference of opinion. The original poster has configured a static route which specifies both the output interface and the next hop address. I regard this as a more specific specification of the desired behavior and a superior method of configuration of static routes. You have suggested that a less specific method of specifying the desired behavior might be better. So on this we have a difference of opinion.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Richard Burts

‎03-15-2015 05:54 AM

Rick

 I regard this as a more specific specification of the desired behavior and a superior method of configuration of static routes

That is fair enough and I take your advice on that, as I do on many things, as you have obviously used it more than I have.

But that wasn't the point I was trying to make and I think you know that :-)

The point I was making was that you were suggesting I was saying it should be changed because it might fix the VPN issue of no route being found. And you added the edit to emphasise the point.

Which is basically saying I don't understand how routing works because the OP quite clearly stated he could ping the peer IP.

I guess the key point I was making is that when we answer questions an important part of that is to take into account the knowledge of the person posting the response.

And I would have hoped that by now you would know that I do at least understand how routing works.

That was what I was saying.

Jon

0 Helpful
Customers Also Viewed These Support Documents