Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1418
Views
0
Helpful
16
Replies

CISCO ROUTER 1941

Semiu Akinlabi
Level 1
Level 1

‎08-31-2016 03:57 AM

I have two routers company A 1941 and B 1800

I configured both router to enable vpn connection between COMPANY A & B.

I can ping tunnel 10.10.10.x from routers

I can ping local ip 192.168.x.x from routers

I can ping 10.10.10.x from pc but could not ping 192.168.x.x from pc which is local IP of Company B.

I run sh crypto isakmp from router B

dst             src             state          conn-id status
41.79.x.x      197.149.x.x   QM_IDLE           1079 ACTIVE

I run sh crypto isakmp from router A

dst             src             state          conn-id status
197.149.x.x   10.10.x.x      MM_NO_STATE          0 ACTIVE
197.149.90.10   10.10.x.x      MM_NO_STATE          0 ACTIVE (deleted)
41.79.x.x      197.149.x.x   MM_NO_STATE       1001 ACTIVE (deleted)

what could be the issue.

thanks.

semiu

Labels:
0 Helpful
16 Replies 16

Vishnu Sharma
Level 1
Level 1

‎08-31-2016 04:50 AM

Hi Semiu,

Looking at the output, looks like the phase 1 is up from site B router however the phase 2 is not coming up and that is why router in Site A is showing the state as MM_NO_STATE. I would appreciate if you could help me understand which subnet is on site A and which subnet is on site B. Also, I would appreciate if you could share the VPN configuration from both the routers. 

Thanks,

Vishnu

0 Helpful

Semiu Akinlabi
Level 1
Level 1
In response to Vishnu Sharma

‎09-01-2016 12:38 AM

Thanks, I really appreciate the quick response,

the attachment contain configuration of both routers.

I can ping remote tunnel address 10.10.x.x from local pc but could not ping remote local pc.

thanks.

semiu.

router.zip
0 Helpful

Pawan Raut
Level 4
Level 4
In response to Semiu Akinlabi

‎09-01-2016 12:59 AM

could you please check if phase 2 is coming up or not i no then check the transform set  mode is tunnel as I cant see the mode tunnel in 1841 router config for transform set

0 Helpful

Semiu Akinlabi
Level 1
Level 1
In response to Pawan Raut

‎09-01-2016 01:19 AM

1841 does not display mode tunnel in its config,

so how can I check if phase 2 is coming up?

thanks for your response

0 Helpful

Pawan Raut
Level 4
Level 4
In response to Semiu Akinlabi

‎09-01-2016 01:44 AM

ok thats what I was suspecting anyway thanks for Info. try to ping remote end PC from Local PC and check the below commands on router 

Phase 1- show crypto isakmp sa

Phase 2 - show crypto ipsec sa

0 Helpful

Semiu Akinlabi
Level 1
Level 1
In response to Pawan Raut

‎09-02-2016 12:12 AM

NGBSAPAPA#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
197.149.90.10   10.10.10.1      MM_NO_STATE          0 ACTIVE
197.149.90.10   10.10.10.1      MM_NO_STATE          0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
NGBSAPAPA#sh crypsto ipsec sa
                 ^
% Invalid input detected at '^' marker.
NGBSAPAPA#sh crypto ipsec sa
interface: Tunnel0
    Crypto map tag: VPN-MAP, local addr 10.10.10.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer 197.149.90.10 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 19, #recv errors 0
     local crypto endpt.: 10.10.10.1, remote crypto endpt.: 197.149.90.10
     plaintext mtu 1476, path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
NGBSAPAPA#
0 Helpful

Pawan Raut
Level 4
Level 4
In response to Semiu Akinlabi

‎09-02-2016 12:26 AM

So here is an issue 

local crypto endpt.: 10.10.10.1, remote crypto endpt.: 197.149.90.10

On both side you have applied crypto-map  on Tunnel0 you have set peer as Internet facing interface so VPN peer and Local vpn endpoint are getting mismatch. Please change the vpn peer IP as Remote end Tunnel IP address. And then test it 

on 1941

crypto map VPN-MAP 10 ipsec-isakmp
set peer 10.10.10.2

on 1841

crypto map VPN-MAP 10 ipsec-isakmp
set peer 10.10.10.1

0 Helpful

Semiu Akinlabi
Level 1
Level 1
In response to Pawan Raut

‎09-02-2016 12:54 AM

thanks I have changed it as requested this is what I get

NGBSAPAPA#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
197.149.90.10   10.10.10.1      MM_NO_STATE          0 ACTIVE (deleted)
10.10.10.2      10.10.10.1      QM_IDLE           1001 ACTIVE
10.10.10.1      197.149.90.10   MM_SA_SETUP          0 ACTIVE
10.10.10.1      197.149.90.10   MM_NO_STATE          0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
NGBSAPAPA#sh crypto ipsec sa
interface: Tunnel0
    Crypto map tag: VPN-MAP, local addr 10.10.10.1
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
   current_peer 10.10.10.2 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 25, #recv errors 0
     local crypto endpt.: 10.10.10.1, remote crypto endpt.: 10.10.10.2
     plaintext mtu 1476, path mtu 1476, ip mtu 1476, ip mtu idb Tunnel0
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
     outbound ah sas:
     outbound pcp sas:
NGBSAPAPA#
0 Helpful

Pawan Raut
Level 4
Level 4
In response to Semiu Akinlabi

‎09-02-2016 01:18 AM

Have changed the IP on both the router. Phase 2 still not seeing up 

0 Helpful

Semiu Akinlabi
Level 1
Level 1
In response to Pawan Raut

‎09-02-2016 01:31 AM

SIR,

the attachment is the current configuration

3 KB
4 KB
0 Helpful

Pawan Raut
Level 4
Level 4
In response to Semiu Akinlabi

‎09-02-2016 02:18 AM

We have to verify why phase 2 is not coming up. Could you please debug crypto ipsec  on the router to see the logs of Phase 2.

0 Helpful

Semiu Akinlabi
Level 1
Level 1
In response to Pawan Raut

‎09-02-2016 02:34 AM

how can I debug?

and how can I copy the debugging result .

thanks.

0 Helpful

Pawan Raut
Level 4
Level 4
In response to Semiu Akinlabi

‎09-02-2016 03:03 AM

First of all I would like to understand your requirement you have GRE tunnel and you have configured IPSec tunnel. You want ipsec over GRE?
0 Helpful

Semiu Akinlabi
Level 1
Level 1
In response to Pawan Raut

‎09-02-2016 03:33 AM

Sir,

what I want is to be able to establish network between the two routers 1941 and 1841,

presently from local pc I can reach 10.10.10.x

but could not be able reach 192.168.2.x from 192.168.1.x pc and vice versal.

if you can send to me the configuration that will be okay I will appreciate it.

thanks.

semiu

0 Helpful
Customers Also Viewed These Support Documents