cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1008
Views
0
Helpful
4
Replies

IPSEC issue in Cisco IAD 2431

mukundh86
Level 1
Level 1

Hello all,

I cam across something when i was troubleshooting IPSEC VPN connections between two Cisco IAD 2431s. Here is a snapshot of config on one of the routers:

crypto map vpnmap 6 ipsec-isakmp

description To_Grovecity

set peer X.X.X.X

set transform-set vpnset

match address To_Grovecity

crypto map vpnmap 10 ipsec-isakmp

description To_Datacenter

set peer Y.Y.Y.Y

set transform-set vpnset

match address To_Datacenter

qos pre-classify

ip access-list extended To_Grovecity

permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255

ip access-list extended To_Datacenter

permit ip 10.24.96.0 0.0.0.255 10.11.12.0 0.0.0.255

permit ip 10.24.96.0 0.0.0.255 172.31.46.0 0.0.0.255

permit ip 10.24.96.0 0.0.0.255 10.80.102.0 0.0.0.255

permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255

  permit ip 10.24.96.0 0.0.0.255 10.24.69.0 0.0.0.255

permit ip 10.24.96.0 0.0.0.255 192.168.15.0 0.0.0.255

From this router's LAN interface (10.24.96.1), I couldn't ping the router's LAN interface corresponding to the Grovecitypeer which is x.x.x.x. The LAN interface at Grovecity is 10.80.103.3

As soon as I removed the statement " permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255" which was unnecessarily present in the To_Datacenter ACL, things started working.

What confuses me is since the crypto map vpnmap for Grovecity is at sequence 6 and is before the vpnmap for Datacenter, the statement "

permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255" under the To-Datacenter ACL would never be considered and it doesn't matter if that staement is present in the ACL or not but apparently it does. HAs anyone faced this before or am I missng something?

Thanks

Mukundh

4 Replies 4

Hello Mukundh,,

I hope you didnt have that unnecessary statment in the destination device right ?

regards

Harish

Hi Harish,

By destination device, do u mean Y.Y.Y.Y? If so, I am not usre as I don't manage that device. But that device has been offline for the past few days. It was recently removed out of production.

yea.. because i have read somewhere that the cisco recomended way is to do exaclt mirrored ACL in VPN peers. so just wondering when that unnecessary command was there in your configuration , it was not exact mirror of the other end ACL which would have caused the issue

regards

Harish.

Hi,

In order to successfully build a SA, the L2L peers need to exchange the same exact ACE (mirror of each other) along with other parameters like the transform-set, PFS group (if configured)...

Otherwise Phase II does not come up.

Thanks.

Portu.

Please rate any helpful posts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: