01-08-2010 05:38 AM - edited 02-21-2020 04:26 PM
H everybody,
I have a problem with my ipsec phase 2 connexion, the phase 1 is active but phase 2 no, below are the output of some command like sh crypto session detail and sh crypto isakmp sa; please help me to troubleshoot this problem.
router#sh crypto session
Interface: FastEthernet0/0
Session status: UP-IDLE
Peer: 81.192.103.150 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 81.192.103.150
Desc: (none)
IKE SA: local 41.205.80.45/500 remote 81.192.103.150/500 Active
Capabilities:(none) connid:1 lifetime:23:59:48
IPSEC FLOW: permit ip 192.168.6.0/255.255.255.0 192.20.2.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 75 life (KB/Sec) 0/0
router#sh crypto isakmp sa
dst src state conn-id slot status
81.192.100.50 41.200.90.45 MM_SA_SETUP 1 0 ACTIVE
router#sh crypto isakmp sa
dst src state conn-id slot status
81.192.100.50 41.200.90.45 QM_IDLE 1 0 ACTIVE
01-08-2010 05:43 AM
Can you do the following?
show cry isa sa
In the output above you will see the conn id for the SA
clear cry isa
term mon
debug cry isa
debug cry ipsec
Run the debugs so we can see what is being passed. Also, do you have the configs for both end devices? Was this tunnel ever working? Make sure the transform-set and match ACL matches on both ends.
01-08-2010 07:31 AM
01-08-2010 07:49 AM
crypto ipsec transform-set vpn1 esp-3des ah-md5-hmac
!
crypto map vpnregeo 50 ipsec-isakmp
description tunel-to-M2M
set peer xxx.xxx.xxx.xxx
set transform-set vpn
match address 118
Your config appears to have an issue. You are reference TS Set VPN when you have VPN1 configured. Make the following changes.
crypto map vpnregeo 50 ipsec-isakmp
no set transform-set vpn
set transform-set vpn1
Try again and see if this works.
Thanks,
Joe
01-08-2010 08:39 AM
Thanks,
I have tried what you ask me to do, but the problem remaining.
01-08-2010 08:41 AM
Excuse me Joe
if the peer router is not a CISCO router, do I have a particular thing to do in my CISCO router?
01-08-2010 09:02 AM
Sorry,
The TSet in your config reads
crypto ipsec transform-set vpn1 esp-3des ah-md5-hmac
should be
crypto ipsec transform-set vpn1 esp-3des esp-md5-hmac
01-08-2010 09:44 AM
THANK YOU vey much Joe
that was the mistake, but see that the peer router is not a CISCO router, Ihave also set the lifetime for the two phases as it is set in the peer router, the two phases are up now.
Thanks to CISCO for such a plateform.
01-08-2010 09:54 AM
Excellent! No problem glad I could help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide