Showing results for 
Search instead for 
Did you mean: 

IPSEC issue in Cisco IAD 2431


Hello all,

I cam across something when i was troubleshooting IPSEC VPN connections between two Cisco IAD 2431s. Here is a snapshot of config on one of the routers:

crypto map vpnmap 6 ipsec-isakmp

description To_Grovecity

set peer X.X.X.X

set transform-set vpnset

match address To_Grovecity

crypto map vpnmap 10 ipsec-isakmp

description To_Datacenter

set peer Y.Y.Y.Y

set transform-set vpnset

match address To_Datacenter

qos pre-classify

ip access-list extended To_Grovecity

permit ip

ip access-list extended To_Datacenter

permit ip

permit ip

permit ip

permit ip

  permit ip

permit ip

From this router's LAN interface (, I couldn't ping the router's LAN interface corresponding to the Grovecitypeer which is x.x.x.x. The LAN interface at Grovecity is

As soon as I removed the statement " permit ip" which was unnecessarily present in the To_Datacenter ACL, things started working.

What confuses me is since the crypto map vpnmap for Grovecity is at sequence 6 and is before the vpnmap for Datacenter, the statement "

permit ip" under the To-Datacenter ACL would never be considered and it doesn't matter if that staement is present in the ACL or not but apparently it does. HAs anyone faced this before or am I missng something?




Harish Balakrishnan

Hello Mukundh,,

I hope you didnt have that unnecessary statment in the destination device right ?



Hi Harish,

By destination device, do u mean Y.Y.Y.Y? If so, I am not usre as I don't manage that device. But that device has been offline for the past few days. It was recently removed out of production.

yea.. because i have read somewhere that the cisco recomended way is to do exaclt mirrored ACL in VPN peers. so just wondering when that unnecessary command was there in your configuration , it was not exact mirror of the other end ACL which would have caused the issue




In order to successfully build a SA, the L2L peers need to exchange the same exact ACE (mirror of each other) along with other parameters like the transform-set, PFS group (if configured)...

Otherwise Phase II does not come up.



Please rate any helpful posts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: