07-22-2010 02:46 AM - edited 02-21-2020 04:45 PM
Hi,
we are trying to establish the VPN between Cisco 2811 router (Version 12.4(13r)T ) and PIX 515 E 7.01 and 7.23
but we are able to get the VPN status UP but unable to ping the IP ( encrpt the IP on the router side )
IPv4 Crypto ISAKMP SA
dst src state conn-id status
XX.XX.202.161 XXX.XX.37.10 QM_IDLE 1023 ACTIVE
Sh cry ipsec sa on Router side :
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.148.0/255.255.252.0/0/0)
remote ident (addr/mask/prot/port): (10.215.0.0/255.255.0.0/0/0)
current_peer XXX.XX.37.10 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1764, #pkts decrypt: 1764, #pkts verify: 1764
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: XXX.XXX.202.161, remote crypto endpt.: XXX.XXX.37.10
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x4D0B702(80787202)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x3861D560(945935712)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2015, flow_id: NETGX:15, sibling_flags 80000046, crypto map: St
oS-VPN
sa timing: remaining key lifetime (k/sec): (4438146/704)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x4D0B702(80787202)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 2016, flow_id: NETGX:16, sibling_flags 80000046, crypto map: St
oS-VPN
sa timing: remaining key lifetime (k/sec): (4438204/704)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
kindly suggest us what might be the issue
07-26-2010 08:48 AM
Can you please issue this command on the PIX :-
crypto ipsec df-bit clear-df outside
thanks
Manish
07-26-2010 09:01 AM
No luck
its same as before
On Mon, Jul 26, 2010 at 9:18 PM, manisharora111 <
07-26-2010 10:00 AM
can you try clearing the tunnel and establish again
plz try the following
clear cry sa
clear crypto sessions
remove crypto map from the interface
reapply it
and then try to bring the tunnel up
07-26-2010 03:54 PM
Did clearing the crypto map helped at all ?
If not , then can yu please make the following changes on the router side :-
1> remove the non default "crypto isakmp invaild-spi-recovery" command.
2> place the match statement before the set statements in the crypto map configuration.
3> do isakmp , ipsec and engine debugs + system logs from both router and pix for more research on the matter.
thanks
Manish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide