Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
521
Views
0
Helpful
0
Replies

HSRP IPSec VPN Phase 1 issues

Wan_Whisperer
Level 1
Level 1

‎12-02-2019 09:07 AM - edited ‎02-21-2020 09:48 PM

I have HSRP set up and I have a IPSec VPN set up on a sub interface.  When I issue a show crypto isakmp sa nothing shows up.    

 

Here are my configs

 

crypto isakmp policy 1
encr aes 256
hash md5
authentication pre-share
group 2

 

crypto isakmp key XXX address XXX.XXX40.68

 

crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel

 

 

crypto map v-test 1 ipsec-isakmp
description V-Test
set peer XXX.XXX.40.68
set transform-set myset
set pfs group2
match address 130
reverse-route

interface GigabitEthernet0/0/0.100
description XXX
encapsulation dot1Q 100
ip address XXX.XXX.100.2 255.255.255.0
standby 100 ip XXX.XXX.100.1
standby 100 timers msec 200 msec 650
standby 100 priority 150
standby 100 preempt delay reload 99
standby 100 name Vlan100
standby 100 track 1 decrement 60
cdp enable
crypto map v-test redundancy Vlan100


access-list 130 permit ip host XXX.XXX.100.6 XXX.XXX.40.32 0.0.0.31


---Pinging from vlan 100---
#ping XXX.XXX.40.68
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to XXX.XXX.40.68, timeout is 2 seconds:
!!!!!


# sho crypto ipsec sa | beg interface: GigabitEthernet0/0/0.100

interface: GigabitEthernet0/0/0.100
Crypto map tag: v-test, local addr XXX.XXX.100.1

protected vrf: (none)
local ident (addr/mask/prot/port): (XXX.XXX.100.6/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (XXX.XXX.40.32/255.255.255.224/0/0)
current_peer XXX.XXX.40.68 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: XXX.XXX.100.1, remote crypto endpt.: XXX.XXX.40.68
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0.100
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none


Doing a traceroute from XXX.XXX.100.6 it hits the physical ip of XXX.XXX.100.2 and goes to the next hop instead of hitting the crypto map and getting encapsulated because Phase 1 is not starting.

 

When I issue a debug crypto isakmp nothing happens. I also added an access list on my edge device logging all traffic in and out to XXX.XXX.40.68 and I get zero hits.


After all my troubleshooting I think that the traffic is not hitting my crypto map for some reason.

Please help!

 

PS...is there a way to source a ping from the virtual IP?

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents