Thank you....However I am getting a new message

Sep 22 18:07:28.082: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 63.240.91.172.....

Another thing I noticed, when I change the config on the router, it doesnt stay there. It alwayd go back to what you were viewing.

Hi !

CRYPTO-6-IKMP_MODE_FAILURE means a isakmp policy mismatch ( that's we're trying ) and/or pre-shared key.

Ok, try to reconfigure the isakmp policy :

conf t

!

crypto isakmp policy 2

encr des

authentication pre-share

group 1

!

Clear phase 1 tunnels and try to force traffic in both sides.

clear isakmp sa

ping < 10.50.X.X > source 192.168.140.3

or

ping < 10.50.X.X > source-interface GigabitEthernet0/1

Debugging is also your friend :-)

debug crypto isakmp

debug crypto ipsec

Good luck

regards

Hi!

also you can try another encryption. Remember to change it in both sides.

Regards

Good and bad news.

Good news is that ther tunnel came up. the bad news is I cannot ping the IPs from one end to the other.

Any idea?

Hi !

you must bypass nat overload on router to remote network.

You have a rule that translates all your 192.168.0.0/24 to the wan interface

ip nat inside source list NAT-ADDRESSES interface GigabitEthernet0/2 overload

ip access-list standard NAT-ADDRESSES

permit 192.168.140.0

permit 10.10.10.0 0.0.0.255

You also have a route map to bypass it but it's no applied :

route-map NO-NAT permit 10

match ip address 110

access-list 110 deny   ip 192.168.140.0 0.0.0.255 10.50.0.0 0.0.255.255

The route map is not applied in any nat statement.

Regards

Hello a yussuf

1. The Combination of Encryption DES and Hashing algorithm SHA is known to have issues on cisco platform

so insted of using it use any other combination like md5 des or sha 3des

2. If the tunnel is up and not passing traffic, Verify that cryto access-list is a mirror image of each other.

3. The Direction of crypto access-list should always be from local network to remote network.

4. Also an appropriate nat exempt should be configured for the same on asa and router

If this does not help

Further

1) I would like to review the configuration of your device and the Remote Device, please send me the output of command sh tech so that I can analyze the configuration of the device.

2) Apart from this please run these commands with a time lag of 30 seconds at least 5 times) send the output of below listed commands, so that we can review counters for encapsulated and de-capsulated packets

A) On Local Side

a)  Sh Crypto isakmp sa

   b)  Sh Crypto ipsec sa

B) On Remote Side                                                                                                               

   a)  Sh Crypto isakmp sa

   b)  Sh Crypto ipsec sa

3) For further investigation Please run the below listed debugs on Local and Remote Devices.

   a)Debug Crypto Isakmp

   b)Debug Crypto Ipsec 

   c) Debug crypto condition peer < Peer address or hostname>

Regards

Rahul Ilwadhi

The VPN tunnel is up but there is no communication between the two local subnet.

The config for both is attached.