Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
471
Views
0
Helpful
2
Replies

Cisco 2921 IPSec Up but no traffic

sebastianm1
Level 1
Level 1

‎11-21-2016 07:28 AM - edited ‎02-21-2020 09:03 PM

Hi All,

We have had a Cisco 2921 which we have set up IPSec tunnels to our remote sites.

However the Cisco is not passing traffic.

Any assistance would be greatly appreciated.

interface: GigabitEthernet0/0
Crypto map tag: SDM_CMAP_1, local addr 203.x.x.x

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.202.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.203.0/255.255.255.0/0/0)
current_peer 165.x.x.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 203.x.x.x, remote crypto endpt.: 165.x.x.x.
plaintext mtu 1350, path mtu 1400, ip mtu 1400, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xCAF32509(3404932361)
PFS (Y/N): Y, DH group: group2

inbound esp sas:
spi: 0x41CCE040(1103945792)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2661, flow_id: Onboard VPN:661, sibling_flags 80000040, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4341587/3541)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xCAF32509(3404932361)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2662, flow_id: Onboard VPN:662, sibling_flags 80000040, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4341588/3541)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Labels:
0 Helpful
2 Replies 2

JP Miranda Z
Cisco Employee
Cisco Employee

‎11-21-2016 07:58 AM

Hi 

Can you share the nat config of this router?

Seems like you are receiving traffic and not responding, you can also take a look to the routing to make sure everything is fine.

Hope this info helps!!

Rate if helps you!! 

-JP-

0 Helpful

sebastianm1
Level 1
Level 1
In response to JP Miranda Z

‎11-21-2016 08:16 AM

Hi JP

Thank you kindly for your quick reply.

i found that there was an extra NAT rule applied that was blocking the traffic.

removed the rule and it starting flowing :)

0 Helpful
Customers Also Viewed These Support Documents