10-07-2018 05:09 AM - edited 02-21-2020 09:28 PM
Hello Guys,
I have launched a Cisco CSR 1000v AX on AWS:
#show version Cisco IOS XE Software, Version 16.09.01 Cisco IOS Software [Fuji], Virtual XE Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.9.1, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Tue 17-Jul-18 16:57 by mcpre
By the way, it looks like the technical support url is wrong.
I am trying to establish a site to site VPN connection between that device and a partner cisco ASA 5510 (according to the VPN form ). Below is my settings
ip access-list extended aclist_partner_x permit ip host 197.xx.xx.249 host 172.21.100.10 permit ip host 172.21.100.10 host 197.xx.xx.249 exit crypto keyring keyring_partner_x local-address GigabitEthernet1 pre-shared-key address 197.xx.xx.254 key xxxxxxxxxx exit crypto isakmp policy 10 encryption aes 256 authentication pre-share group 2 lifetime 28800 hash sha exit crypto isakmp profile profile_partner_x local-address GigabitEthernet1 keyring keyring_partner_x match identity address 197.xx.xx.254 exit crypto ipsec transform-set ESP-AES256-SHA1 esp-aes 256 esp-sha-hmac mode tunnel exit crypto map map_partner_x 10 ipsec-isakmp match address aclist_partner_x set peer 197.xx.xx.254 set transform-set ESP-AES256-SHA1 set isakmp-profile profile_partner_x reverse-route static set reverse-route distance 10 exit interface GigabitEthernet1 crypto map map_partner_x exit crypto isakmp keepalive 10 10 on-demand
show crypto isakmp sa IPv4 Crypto ISAKMP SA dst src state conn-id status IPv6 Crypto ISAKMP SA
#show ip route Gateway of last resort is 172.21.0.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 172.21.0.1, GigabitEthernet1 172.21.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.21.0.0/24 is directly connected, GigabitEthernet1 L 172.21.0.30/32 is directly connected, GigabitEthernet1
#show ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet1 172.21.0.30 YES DHCP up up
VirtualPortGroup0 192.168.35.101 YES NVRAM up up
When tunnel wasn't coming I did a terminal monitor and it looks like below
Oct 6 14:43:12.871: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000087224457044924 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 197.xx.xx.249, src_addr= 172.21.100.10, prot= 1 *Oct 6 14:43:20.221: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: ec2-user] [Source: 41.242.136.40] [localport: 22] at 14:43:20 UTC Sat Oct 6 2018 *Oct 6 14:44:13.353: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000087284938212829 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 197.xx.xx.249, src_addr= 172.21.100.10, prot= 1 *Oct 6 14:45:13.836: %IOSXE-3-PLATFORM: R0/0: cpp_cp: QFP:0.0 Thread:000 TS:00000087345419675954 %IPSEC-3-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet, dest_addr= 197.xx.xx.249, src_addr= 172.21.100.10, prot= 1
I am not sure what I have missed or left out. I would be grateful if any one can point me to the right direction. Been battling with this since Friday 5th october 2018.
Thanks for reading and thanks in advance.
10-08-2018 01:29 AM
Hi,
Can you run a debug "debug crypto isakmp" and then attempt to generate some interesting traffic to trigger the vpn tunnel and upload the full output here please?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide