09-02-2012 01:12 AM
Hi Experts,
We have given site to site VPN connectivity to our client . They are reporting that they are not able to access out network due to VPN down.
As I checked on my router it's showing up for Port 4500 & down for 500.
Below find the output
#sh crypto session remote 152.69.248.225
Crypto session current status
Interface: GigabitEthernet0/0/2
Session status: UP-ACTIVE
Peer: 152.69.248.225 port 4500
IKE SA: local 3.148.197.4/4500 remote 152.69.248.225/4500 Active
IPSEC FLOW: permit ip 3.148.197.0/255.255.255.0 host 170.69.246.2
Active SAs: 2, origin: crypto map
Interface: GigabitEthernet0/0/2
Session status: DOWN
Peer: 152.69.248.225 port 500
IPSEC FLOW: permit ip 3.110.96.0/255.255.255.0 host 152.69.246.2
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 3.110.97.0/255.255.255.0 host 152.69.246.2
Active SAs: 0, origin: crypto map
#sh crypto session remote 152.69.248.225 brief
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status
152.69.248.225 Gi0/0/2 10.130.132.34 01:14:49 UA
Can anyone help me to understand the output.
Security purpose I have changed Ip addresses, so do't confused with ip's.
Also pl's suggest any document which will clear my VPN concept's
Thanks in advance
Surya
Solved! Go to Solution.
09-02-2012 06:56 AM
Hi Surya,
Please check the below link with common L2L issue ex. It may not 100% address your issue but might help understanding the issue...
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Also, if you can postyour device and remote end end device config (if possible), that helps.
Thx
MS
09-02-2012 11:46 AM
Hello,
As MS suggested we will need to check both devices configurations to start troubleshooting this,
Regards,
Julio
09-02-2012 06:56 AM
Hi Surya,
Please check the below link with common L2L issue ex. It may not 100% address your issue but might help understanding the issue...
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Also, if you can postyour device and remote end end device config (if possible), that helps.
Thx
MS
09-03-2012 03:25 AM
Hi MS & Julio,
Thanks, to look my issue. But unfortunately I can't post remote side config as it's manage by client & I do not have access.
Hopes link provided by MS will help me to understand the VPN issues.
Thanks,
Surya
09-02-2012 11:46 AM
Hello,
As MS suggested we will need to check both devices configurations to start troubleshooting this,
Regards,
Julio
09-03-2012 05:53 AM
Hi Surya,
Please paste the output of the following:
show cry isa sa
show cry ipsec sa peer (peer address)
This can very well tell us if the problem is on your end or on the remote end.
Shikhar Sharma
CCIE Security # 29741
Cisco TAC - VPN Team
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: