Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7458
Views
0
Helpful
18
Replies

Router 2811 IPsec VPN

vinoth.kumar
Level 1
Level 1

‎07-22-2010 02:46 AM - edited ‎02-21-2020 04:45 PM

Hi,

we are trying to establish the VPN between Cisco 2811 router (Version 12.4(13r)T ) and PIX 515 E 7.01 and 7.23

but we are able to get the VPN status UP but unable to ping the IP ( encrpt the IP on the router side )

IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
XX.XX.202.161 XXX.XX.37.10    QM_IDLE           1023 ACTIVE

Sh cry ipsec sa on Router side :

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.148.0/255.255.252.0/0/0)
   remote ident (addr/mask/prot/port): (10.215.0.0/255.255.0.0/0/0)
   current_peer XXX.XX.37.10 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 1764, #pkts decrypt: 1764, #pkts verify: 1764
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: XXX.XXX.202.161, remote crypto endpt.: XXX.XXX.37.10
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0x4D0B702(80787202)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x3861D560(945935712)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2015, flow_id: NETGX:15, sibling_flags 80000046, crypto map: St
oS-VPN
        sa timing: remaining key lifetime (k/sec): (4438146/704)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x4D0B702(80787202)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 2016, flow_id: NETGX:16, sibling_flags 80000046, crypto map: St
oS-VPN
        sa timing: remaining key lifetime (k/sec): (4438204/704)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

kindly suggest us what might be the issue

Labels:
0 Helpful
18 Replies 18

manish arora
Level 6
Level 6
In response to vinoth.kumar

‎07-26-2010 08:48 AM

Can you please issue this command on the PIX :-

crypto ipsec df-bit clear-df outside

thanks

Manish

0 Helpful

vinoth.kumar
Level 1
Level 1
In response to manish arora

‎07-26-2010 09:01 AM

No luck

its same as before

On Mon, Jul 26, 2010 at 9:18 PM, manisharora111 <

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to vinoth.kumar

‎07-26-2010 10:00 AM

can you try clearing the tunnel and establish again

plz try the following

clear cry sa

clear crypto sessions

remove crypto map from the interface

reapply it

and then try to bring the tunnel up

0 Helpful

manish arora
Level 6
Level 6
In response to Jitendriya Athavale

‎07-26-2010 03:54 PM

Did clearing the crypto map helped at all ?

If not , then can yu please make the following changes  on the router side :-

1> remove the non default "crypto isakmp invaild-spi-recovery" command.

2> place the match statement before the set statements in the crypto map configuration.

3> do isakmp , ipsec and engine debugs  + system logs from both router and pix  for more research on the matter.

thanks

Manish

0 Helpful
Customers Also Viewed These Support Documents