Solved: L2L VPN NAT Problem-Dup Networks-HELP!!

toddmanger · ‎10-21-2011

I am running an IOS router as an L2L VPN device to connect my location to multiple different customer locations, some of whom utilize the same internal IP addresses. These VPN's have been working fine.

I recently added another customer to this system and I am now having a problem with the newest setup. With this setup, I have to NAT my internal addresses. NAT functions correctly, but it NATs my addresses to the wrong NAT pool and therefore wont generate the tunnel.

My internal ip 10.10.x.x

Incorrect NAT pool 10.129.x.x

Correct NAT pool 10.99.x.x

Help....:)

Thanks

Eugene Khabarov · ‎10-27-2011

The problem is simple. You have almost an identical ACLs for both customers. Since the first NAT rule was added earlier, it only triggered. To resolve this problem you need explicitly define destination host/subnet to be matched instead of 'any' keyword.

For example like this:

ip access-list extended ME-CRYPTO-ACL

permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63

ip access-list extended ME-NAT-ACL

permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63

ip access-list extended SA-CRYPTO-ACL

permit ip 10.96.21.0 0.0.0.255 host 10.99.2.95

ip access-list extended SA-NAT-ACL

permit ip 10.10.10.0 0.0.0.255 host 10.99.2.95

Another solution is more complicated and harder to understand (and explain), you can use Virtual-Templates with tunnel-protection for each customer, VRF and NAT for common services.

___

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"

View solution in original post

Eugene Khabarov · ‎10-23-2011

Please show your configuration here. It is hard to isolate the problem without it.

---

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer."

toddmanger · ‎10-24-2011

Hi Eugene,

I didnt post a sanitized config as I hoped someone might recognize the issue and I didnt want to sanitize out the potential problem.

I will work on posting the config, but the problem has changed somewhat and leads me to believe it is an ACL issue.

When I change the name of the ACL for the newest customer to a name that (alphabetically) appears before the ACL that ultimately assigns me an address from that customers pool, I am able to create the tunnel for the new customer and get to their hosts. However, this is at the cost of the other customers tunnel. I cannot get to both.

toddmanger · ‎10-24-2011

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 3

encr aes 256

authentication pre-share

group 2

lifetime 28800

!

crypto isakmp policy 4

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 5

encr aes 256

authentication pre-share

group 2

crypto isakmp key xxxxxxx address 216.xxxxxxx

crypto isakmp key xxxxxxx address 199.xxxxxxx

crypto isakmp key xxxxxxx address 99.xxxxxxx

crypto isakmp key xxxxxxx address 207.xxxxxxx

crypto isakmp key xxxxxxx address 170.xxxxxxx1

crypto isakmp keepalive 10

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set ME esp-3des esp-sha-hmac

crypto ipsec transform-set CB esp-3des esp-md5-hmac

crypto ipsec transform-set CI esp-aes 256 esp-sha-hmac

crypto ipsec transform-set SE esp-3des esp-sha-hmac

crypto ipsec transform-set SA esp-aes 256 esp-sha-hmac

!

crypto map VPN 1 ipsec-isakmp

set peer 199.xxxxxxx

set transform-set ME

match address ME-CRYPTO-ACL

crypto map VPN 2 ipsec-isakmp

set peer 216.xxxxxxx

set transform-set CB

match address CB-CRYPTO-ACL

crypto map VPN 3 ipsec-isakmp

set peer 99.xxxxxxx

set security-association lifetime seconds 28800

set transform-set CI

match address CI-CRYPTO-ACL

crypto map VPN 4 ipsec-isakmp

set peer 207.xxxxxxx

set transform-set SE

match address SE-CRYPTO-ACL

crypto map VPN 5 ipsec-isakmp

set peer 170.xxxxxxx

set transform-set SA

match address SA-CRYPTO-ACL

!

interface FastEthernet0/0

description INSIDE LAN INTERFACE

ip address 10.10.xxx 255.xxxx

ip nat inside

ip virtual-reassembly

duplex full

speed 100

!

interface FastEthernet0/1

ip address 173.210.xxxx 255.xxxx

ip nat outside

ip virtual-reassembly

duplex full

speed 100

crypto map VPN

!

ip route 0.0.0.0 0.0.0.0 173.210.xxxxx

!

ip nat pool MED 10.129.x.x 10.129.x.x netmask xxxxxxx.255.0

ip nat pool PUBLIC 173.210.x.x 173.210.x.x netmask 255.255.x.x

ip nat pool STF 10.96.x.x 10.96.x.x netmask 255.255.x.x

ip nat inside source route-map ME pool MED

ip nat inside source route-map SA pool STF

ip nat inside source route-map nonat pool PUBLIC overload

!

ip access-list extended CB-CRYPTO-ACL

permit ip 10.10.xxxxxxx xxxxxxx.255 172.23.xxxxxxx xxxxxxx.63

ip access-list extended CB-NAT-ACL

deny ip 10.96.21.0 xxxxxxx.255 host 10.99.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 10.2.xxxxxxx xxxxxxx.3.255

deny ip 10.129.xxxxxxx xxxxxxx.255 host 10.10.13xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.209.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 172.23.xxxxxxx xxxxxxx.0.63

deny ip 10.129.40.0 xxxxxxx.255 172.23.xxxxxxx xxxxxxx.0.63

permit ip 10.10.xxxxxxx xxxxxxx.255 any

ip access-list extended CI-CRYPTO-ACL

permit ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx

permit ip 10.10.xxxxxxx xxxxxxx.255 host 10.209.xxxxxxx

permit ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx

permit ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255

ip access-list extended CI-NAT-ACL

deny ip 10.10.xxxxxxx xxxxxxx255 10.2.xxxxxxx xxxxxxx.255

deny ip 10.129.xxxxxxx xxxxxxx.255 host 10.10.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 172.23.xxxxxxx xxxxxxx.63

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.209.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255

permit ip 10.10.xxxxxxx xxxxxxx.255 any

ip access-list extended ME-CRYPTO-ACL

permit ip 10.129.xxxxxxx xxxxxxx.255 host 10.10.13xxxxxxx

ip access-list extended ME-NAT-ACL

deny ip 10.96.21.0 xxxxxxx.255 host 10.99.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 10.2.xxxxxxx xxxxxxx.3.255

deny ip 10.10.xxxxxxx xxxxxxx.255 172.23.xxxxxxx xxxxxxx.0.63

deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.209.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx

deny ip 10.129.xxxxxxx xxxxxxx.255 host 10.10.13xxxxxxx

permit ip 10.10.xxxxxxx xxxxxxx.255 any

ip access-list extended SA-CRYPTO-ACL

permit ip 10.96.21.0 xxxxxxx.255 host 10.99.2.95

ip access-list extended SA-NAT-ACL

deny ip 10.10.xxxxxxx xxxxxxx.255 10.2.xxxxxxx xxxxxxx.3.255

deny ip 10.10.xxxxxxx xxxxxxx.255 172.23.xxxxxxx xxxxxxx.0.63

deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.209.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx

deny ip 10.129.xxxxxxx xxxxxxx.255 host 10.10.13xxxxxxx

permit ip 10.10.xxxxxxx xxxxxxx.255 any

ip access-list extended SE-CRYPTO-ACL

permit ip 10.10.xxxxxxx xxxxxxx.255 10.2.xxxxxxx xxxxxxx.3.255

ip access-list extended SE-NAT-ACL

!

route-map SA permit 10

match ip address SA-NAT-ACL

!

route-map CI permit 10

match ip address CI-NAT-ACL

!

route-map ME permit 10

match ip address ME-NAT-ACL

!

route-map SE permit 10

match ip address SE-NAT-ACL

!

route-map nonat permit 10

match ip address CB-NAT-ACL

Eugene Khabarov · ‎10-26-2011

You sanitized your configs very well ) But I don't understand why do you need to do this since you have RFC1918 addresses. Can you please post your ACLs configuration without xxxxxx. It is very hard to check it.

Second question:

Why do you need this configuration:

route-map SE permit 10

match ip address SE-NAT-ACL

route-map CI permit 10

match ip address CI-NAT-ACL

ip access-list extended CI-NAT-ACL

deny ip 10.10.xxxxxxx xxxxxxx255 10.2.xxxxxxx xxxxxxx.255

deny ip 10.129.xxxxxxx xxxxxxx.255 host 10.10.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 172.23.xxxxxxx xxxxxxx.63

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.209.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 host 10.208.xxxxxxx

deny ip 10.10.xxxxxxx xxxxxxx.255 10.208.xxxxxxx xxxxxxx.255

permit ip 10.10.xxxxxxx xxxxxxx.255 any

ip access-list extended SE-NAT-ACL

it is never used.

___

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"

toddmanger · ‎10-26-2011

I sanitized the configs that well because these tunnels connect to customers. Thank you for the heads up on the route maps. They are ghosts from an earlier config.

ip access-list extended CB-CRYPTO-ACL

permit ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63

ip access-list extended CB-NAT-ACL

deny ip 10.96.21.0 0.0.0.255 host 10.99.2.95

deny ip 10.10.10.0 0.0.0.255 10.2.0.0 0.0.3.255

deny ip 10.129.40.0 0.0.0.255 host 10.10.131.63

deny ip 10.10.10.0 0.0.0.255 10.208.5.0 0.0.0.255

deny ip 10.10.10.0 0.0.0.255 10.208.2.0 0.0.0.255

deny ip 10.10.10.0 0.0.0.255 host 10.208.4.160

deny ip 10.10.10.0 0.0.0.255 host 10.208.1.95

deny ip 10.10.10.0 0.0.0.255 host 10.209.1.3

deny ip 10.10.10.0 0.0.0.255 host 10.208.1.100

deny ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63

deny ip 10.129.40.0 0.0.0.255 172.23.1.0 0.0.0.63

permit ip 10.10.10.0 0.0.0.255 any

ip access-list extended CIMC-CRYPTO-ACL

permit ip 10.10.10.0 0.0.0.255 host 10.208.1.100

permit ip 10.10.10.0 0.0.0.255 host 10.209.1.3

permit ip 10.10.10.0 0.0.0.255 host 10.208.1.95

permit ip 10.10.10.0 0.0.0.255 host 10.208.4.160

permit ip 10.10.10.0 0.0.0.255 10.208.2.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 10.208.5.0 0.0.0.255

ip access-list extended CI-NAT-ACL

deny ip 10.10.10.0 0.0.0.255 10.2.0.0 0.0.3.255

deny ip 10.129.40.0 0.0.0.255 host 10.10.131.63

deny ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63

deny ip 10.10.10.0 0.0.0.255 host 10.208.1.100

deny ip 10.10.10.0 0.0.0.255 host 10.209.1.3

deny ip 10.10.10.0 0.0.0.255 host 10.208.1.95

deny ip 10.10.10.0 0.0.0.255 host 10.208.4.160

deny ip 10.10.10.0 0.0.0.255 10.208.2.0 0.0.0.255

deny ip 10.10.10.0 0.0.0.255 10.208.5.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

ip access-list extended ME-CRYPTO-ACL

permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63

ip access-list extended ME-NAT-ACL

deny ip 10.96.21.0 0.0.0.255 host 10.99.2.95

deny ip 10.10.10.0 0.0.0.255 10.2.0.0 0.0.3.255

deny ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63

deny ip 10.10.10.0 0.0.0.255 10.208.5.0 0.0.0.255

deny ip 10.10.10.0 0.0.0.255 10.208.2.0 0.0.0.255

deny ip 10.10.10.0 0.0.0.255 host 10.208.4.160

deny ip 10.10.10.0 0.0.0.255 host 10.208.1.95

deny ip 10.10.10.0 0.0.0.255 host 10.209.1.3

deny ip 10.10.10.0 0.0.0.255 host 10.208.1.100

deny ip 10.129.40.0 0.0.0.255 host 10.10.131.63

permit ip 10.10.10.0 0.0.0.255 any

ip access-list extended SA-CRYPTO-ACL

permit ip 10.96.21.0 0.0.0.255 host 10.99.2.95

ip access-list extended SA-NAT-ACL

deny ip 10.10.10.0 0.0.0.255 10.2.0.0 0.0.3.255

deny ip 10.10.10.0 0.0.0.255 172.23.1.0 0.0.0.63

deny ip 10.10.10.0 0.0.0.255 10.208.5.0 0.0.0.255

deny ip 10.10.10.0 0.0.0.255 10.208.2.0 0.0.0.255

deny ip 10.10.10.0 0.0.0.255 host 10.208.4.160

deny ip 10.10.10.0 0.0.0.255 host 10.208.1.95

deny ip 10.10.10.0 0.0.0.255 host 10.209.1.3

deny ip 10.10.10.0 0.0.0.255 host 10.208.1.100

deny ip 10.129.40.0 0.0.0.255 host 10.10.131.63

permit ip 10.10.10.0 0.0.0.255 any

ip access-list extended SE-CRYPTO-ACL

permit ip 10.10.10.0 0.0.0.255 10.2.0.0 0.0.3.255

ip access-list extended SE-NAT-ACL

!

route-map SA permit 10

match ip address SA-NAT-ACL

!

route-map ME permit 10

match ip address ME-NAT-ACL

!

route-map nonat permit 10

match ip address CB

Eugene Khabarov · ‎10-27-2011

Who is the "new customer"? ME, SA or SE? If it isME than correct nat pool is 10.129.x.x since you have in your configuration:

ip nat pool MED 10.129.x.x 10.129.x.x netmask xxxxxxx.255.0

ip nat inside source route-map ME pool MED

As I unerstand you right, you have two customers - ME and SA with two identical address spaces. How does you routing performed? Can you please provide me with:

"show ip route","sh run | sec route", "show ip nat translations | 10.129", "show ip nat translations | 10.99", "sh ip nat statistics"

Also full configuration can be also helpful.

___

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"

toddmanger · ‎10-27-2011

SA is the new customer. ME functions correctly. The issue is that all NAT attempts for SA show the packets being NAT'd to the ME pool addresses.

The address spaces are not identical, but both from the same network class (10.96.x.x VS 10.129.x.x).

Routing is not an issue as all traffic from this router is sent to a border router to leave the network.

Here is sh run | sec route output:

ip route 0.0.0.0 0.0.0.0 173.210.58.193

ip nat inside source route-map MEDSOLUTIONS pool MEDSOL

ip nat inside source route-map nonat pool PUBLIC overload

route-map SAINTFRANCIS permit 10

match ip address SAINTFRANCIS-NAT-ACL

route-map MEDSOLUTIONS permit 10

match ip address MEDSOL-NAT-ACL

route-map nonat permit 10

match ip address CBTS-NAT-ACL

sh ip nat translations | begin 10.129

tcp 10.129.40.2:56088 10.10.10.68:56088 10.10.131.63:3389 10.10.131.63:3389

tcp 10.129.40.3:2552 10.10.10.71:2552 10.10.131.63:3389 10.10.131.63:3389

icmp 10.129.40.7:768 10.10.10.90:768 10.99.2.95:768 10.99.2.95:768 --this line is issue-needs to be 10.96.21.x:768

sh ip nat statistics

Total active translations: 3 (0 static, 3 dynamic; 3 extended)

Outside interfaces:

FastEthernet0/1

Inside interfaces:

FastEthernet0/0

Hits: 826204 Misses: 117

CEF Translated packets: 826320, CEF Punted packets: 0

Expired translations: 96

Dynamic mappings:

-- Inside Source

[Id: 1] route-map MEDSOLUTIONS pool MEDSOL refcount 3

pool MEDSOL: netmask 255.255.255.0

start 10.129.40.1 end 10.129.40.254

type generic, total addresses 254, allocated 3 (1%), misses 0

[Id: 2] route-map nonat pool PUBLIC refcount 0

pool PUBLIC: netmask 255.255.255.252

start 173.210.58.198 end 173.210.58.198

type generic, total addresses 1, allocated 0 (0%), misses 0

Queued Packets: 0

Eugene Khabarov · ‎10-27-2011

As I can see from "show ip nat statistics" output, there is no reference to STF pool at all. The same confirms

"sh run | sec route" output. Where is the commands?

p nat pool STF 10.96.x.x 10.96.x.x netmask 255.255.x.x

ip nat inside source route-map SAINTFRANCIS pool STF overload

Please add it and show me output of mentioned commands again. Thank you.

___

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"

toddmanger · ‎10-27-2011

Total active translations: 5 (0 static, 5 dynamic; 5 extended)

Outside interfaces:

FastEthernet0/1

Inside interfaces:

FastEthernet0/0

Hits: 842573 Misses: 119

CEF Translated packets: 842691, CEF Punted packets: 0

Expired translations: 96

Dynamic mappings:

-- Inside Source

[Id: 1] route-map MEDSOLUTIONS pool MEDSOL refcount 5

pool MEDSOL: netmask 255.255.255.0

start 10.129.40.1 end 10.129.40.254

type generic, total addresses 254, allocated 5 (1%), misses 0

[Id: 7] route-map SAINTFRANCIS pool STFRANCIS refcount 0

pool STFRANCIS: netmask 255.255.255.0

start 10.96.21.1 end 10.96.21.254

type generic, total addresses 254, allocated 0 (0%), misses 0

[Id: 2] route-map nonat pool PUBLIC refcount 0

pool PUBLIC: netmask 255.255.255.252

start 173.210.58.198 end 173.210.58.198

type generic, total addresses 1, allocated 0 (0%), misses 0

Queued Packets: 0

tcp 10.129.40.2:56088 10.10.10.68:56088 10.10.131.63:3389 10.10.131.63:3389

tcp 10.129.40.7:3968 10.10.10.69:3968 10.10.131.63:3389 10.10.131.63:3389

tcp 10.129.40.3:2552 10.10.10.71:2552 10.10.131.63:3389 10.10.131.63:3389

icmp 10.129.40.6:768 10.10.10.90:768 10.99.2.95:768 10.99.2.95:768

tcp 10.129.40.1:2126 10.10.10.102:2126 10.10.131.63:3389 10.10.131.63:3389

ip route 0.0.0.0 0.0.0.0 173.210.58.193

ip nat inside source route-map MEDSOLUTIONS pool MEDSOL

ip nat inside source route-map SAINTFRANCIS pool STFRANCIS

ip nat inside source route-map nonat pool PUBLIC overload

route-map SAINTFRANCIS permit 10

match ip address SAINTFRANCIS-NAT-ACL

route-map MEDSOLUTIONS permit 10

match ip address MEDSOL-NAT-ACL

route-map nonat permit 10

match ip address CBTS-NAT-ACL

Eugene Khabarov · ‎10-27-2011

The problem is simple. You have almost an identical ACLs for both customers. Since the first NAT rule was added earlier, it only triggered. To resolve this problem you need explicitly define destination host/subnet to be matched instead of 'any' keyword.

For example like this:

ip access-list extended ME-CRYPTO-ACL

permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63

ip access-list extended ME-NAT-ACL

permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63

ip access-list extended SA-CRYPTO-ACL

permit ip 10.96.21.0 0.0.0.255 host 10.99.2.95

ip access-list extended SA-NAT-ACL

permit ip 10.10.10.0 0.0.0.255 host 10.99.2.95

Another solution is more complicated and harder to understand (and explain), you can use Virtual-Templates with tunnel-protection for each customer, VRF and NAT for common services.

___

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"

toddmanger · ‎10-27-2011

I changed the NAT ACL's to the following:

ip access-list extended ME-CRYPTO-ACL

permit ip 10.129.40.0 0.0.0.255 host 10.10.131.63

ip access-list extended ME-NAT-ACL

deny ip 10.129.40.0 0.0.0.255 host 10.10.131.63

permit ip 10.10.10.0 0.0.0.255 host 10.10.131.63

ip access-list extended SA-CRYPTO-ACL

permit ip 10.96.21.0 0.0.0.255 host 10.99.2.95

ip access-list extended SA-NAT-ACL

deny ip 10.96.21.0 0.0.0.255 host 10.99.2.95

permit ip 10.10.10.0 0.0.0.255 host 10.99.2.95

I am now able to get the correct NAT address from the correct pool, however I am still not able to generate the tunnel.

Eugene Khabarov · ‎10-27-2011

Ok, that's better. What do you mean "I am still not able to generate the tunnel"?

BTW deny statements in NAT ACL is not required, except for CB-NAT-ACL. Here you can explicitly deny RFC1918 class A address space:

deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255

deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255

deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255

permit ip 10.10.10.0 0.0.0.255 any

Also I think statement "ip nat inside source route-map nonat pool PUBLIC overload" will be added after all other stastements (delete it and apply again).

___

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"

toddmanger · ‎10-27-2011

I am currently seeing MM_SA_Setup tunnel state when I ping the host. However, I just found out that my customer has the wrong peer address on his side, so that could be the reason. I have asked him to correct the peer address and I will re-test.

Sorry for the delay and thank you for the help.

Eugene Khabarov · ‎10-27-2011

You can also chech if crypto ACL is matched with "show ip access-list". If counters is incrementing, than it is ipsec related problem only.

toddmanger написал(а):
Sorry for the delay and thank you for the help.

No problem. You can rate my posts if it was helpful, that wll be the best thankfulness ;-)