Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
692
Views
0
Helpful
0
Replies

Cisco Hub & Spoke IPSEC VPN with crypto map check failed issue

yenaungoo
Level 1
Level 1

‎12-11-2013 07:52 PM - edited ‎02-21-2020 07:23 PM

Hi! I would appreciate if anyone can help for this intermittance issue. Basically the tunnel is UP and working properly but sometimes connections to the remote site failed with "crypto map check failed" error. What could be this error/ issue?

For me I can only access to my SPOKE router and no changes made.

My router (SPOKE) --GRE with IPSEC crypto map--> HUB Router

Define 3 Interesting traffic with ACL to communicate:

HUB Router --> connect to another SPOKE Router with IPSEC crypto map (No GRE)

HUB Router --> direct connect LAN subnet

HUB Router --> direct connect to another router (No IPSEC)  <<== sometimes failed to connect from my site

Debug Log:

*Dec 11 14:23:38:     UDP src=21775, dst=12000

*Dec 11 14:23:38: IP: s=172.22.103.50 (GigabitEthernet0/1), d=10.1.6.87 (Tunnel1), len 76, output feature

*Dec 11 14:23:38:     UDP src=21775, dst=12000, packet consumed, IPSec output classification(34), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 11 14:23:38: IP: s=172.22.103.50 (GigabitEthernet0/1), d=10.1.6.87, len 76, input feature

*Dec 11 14:23:38:     UDP src=28122, dst=12001, MCI Check(88), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 11 14:23:38: FIBipv4-packet-proc: route packet from GigabitEthernet0/1 src 172.22.103.50 dst 10.1.6.87

*Dec 11 14:23:38: FIBfwd-proc: packet routed by adj to Tunnel1 0.0.0.0

*Dec 11 14:23:38: FIBipv4-packet-proc: packet routing succeeded

*Dec 11 14:23:38: IP: s=172.22.103.50 (GigabitEthernet0/1), d=10.1.6.87 (Tunnel1), len 76, crypto map check failed.

*Dec 11 14:23:38:     UDP src=28122, dst=12001

*Dec 11 14:23:38: IP: s=172.22.103.50 (GigabitEthernet0/1), d=10.1.6.87 (Tunnel1), len 76, output feature

*Dec 11 14:23:38:     UDP src=28122, dst=12001, packet consumed, IPSec output classification(34), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 11 14:23:38: IP: s=172.22.103.50 (GigabitEthernet0/1), d=10.1.6.87, len 76, input feature

*Dec 11 14:23:38:     UDP src=57741, dst=12002, MCI Check(88), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Dec 11 14:23:38: FIBipv4-packet-proc: route packet from GigabitEthernet0/1 src 172.22.103.50 dst 10.1.6.87

*Dec 11 14:23:38: FIBfwd-proc: packet routed by adj to Tunnel1 0.0.0.0

*Dec 11 14:23:38: FIBipv4-packet-proc: packet routing succeeded

*Dec 11 14:23:38: IP: s=172.22.103.50 (GigabitEthernet0/1), d=10.1.6.87 (Tunnel1), len 76, crypto map check failed.

*Dec 11 14:23:38:     UDP src=57741, dst=12002

Thanks ahead,

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents