cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4762
Views
0
Helpful
23
Replies

site to site tunnel down

teymur azimov
Level 1
Level 1

Hi dears,

i configurate two site to site vpn (ipsec vpn) and. remote vpn on router. all of them are working normally.

but when  no traffic in tunnel the tunnel down and after not up. i clear the crypto map to interface and then clean one crypto map and then apply crypto map interface then config the second tunnel again.(which i befare clean it).

what is the problem? why the tunnel is not up automatically?

23 Replies 23

i can not to do because i connect remote and some user connected vpn. what do you think. is this configuartion problem?

do you want to see configuration?

Hello Teymur,

No, I do not want to check that as this is not a configuration problem or at least look like that,

Why cant you run some debugs??? We need that to make this happen...

Now lets restrict the debug to just the VPN we are having problems with

debug crypto condition peer ipv4  x.x.x.x ( Remote IP VPN peer)

debug crypto isakmp

debug crypto ipsec

Let me know the outputs you get

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi dear jcarvaja.

i do some test.

i delete  crypto map 65535 command for remote vpn then

write clear crypto isakmp sa , the tunnels down after few minutes the tunnel up.

so remote vpn confilict the site to site vpn.

vpn part of configuration.


crypto isakmp policy 1                      ----------------tunnels

encr 3des

authentication pre-share

group 2

!



crypto isakmp policy 2                         -----------------remote vpn

encr aes

authentication pre-share

group 2

!



crypto isakmp key xxxxx  address y.y.y.y

crypto isakmp key xxxx  address x.x.x.x


crypto isakmp nat keepalive 300



crypto isakmp client configuration group vpncikil

key c1sc0A123!

dns 10.103.70.20 10.103.70.21

domain vtbaze.local

pool ippool

acl 102



crypto ipsec security-association lifetime seconds 86400

!


crypto ipsec transform-set Router_Ipsec esp-3des esp-sha-hmac               -------tunnel

mode tunnel


crypto ipsec transform-set myset esp-aes esp-sha-hmac                             ---- remote vpn

mode tunnel



crypto map Center client authentication list userauthentication

crypto map Center isakmp authorization list groupauthor

crypto map Center client configuration address respond


crypto map Center 2 ipsec-isakmp

set peer x.x.x.x

set security-association idle-time 86400

set transform-set Router_Ipsec

set pfs group2

match address xiyar


crypto map Center 3 ipsec-isakmp

set peer y.y.y.y

set security-association idle-time 86400

set transform-set Router_Ipsec

set pfs group2

match address sada


crypto map Center 65535 ipsec-isakmp dynamic dynmap



ip access-list standard RA_VPN_Redistribute

permit 192.168.10.0 0.0.0.255



router eigrp 90

network 10.103.74.1 0.0.0.0

network 172.30.30.1 0.0.0.0

redistribute static metric 10000 1 255 1 1500 route-map RA_VPN_Redistribute





!

apply Center to outsdie interface.

Hardik Vaidh
Level 1
Level 1

crypto isakmp policy 10
encr 3des

hash md5
authentication pre-share
group 2
crypto isakmp key XXX address 10.10.10.10

// set your key insted of XXX and it must match with your remote site. after that write address of your peer
crypto isakmp invalid-spi-recovery
!
!
crypto ipsec transform-set XXX esp-3des esp-md5-hmac
!
crypto map YYY  local-address <<>>
crypto map YYY 10 ipsec-isakmp
set peer 10.10.10.10
set transform-set ZZZ
match address 101

interface <<>>
crypto map YYYY

access-list 101 permit ip 192.168.1.0 0.0.0.255 11.11.11.11 (Remote user) 255.255.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 22.22.22.22(Remote user) 255.255.255.255

After that configure NAT with req. access-list

For troubleshooting

sh cry ipsec sa peer 10.10.10.10

sh cry session

hope your IPSec site to site VPN tunnel is working fine

Hi. thank you to reply me.Both of vpn(site to site and remote vpn) are working perfectly but

when the tunnels or one the tunnel  down aftre that the tunnels are not up automatically.

when i delete crypto map 65535 which is remote vpn command the tunnel is up automatically.

i paste my configuration above. i want to know why the tunnels are not up after down?when i delete crypto map of remote vpn after that tunnels or tunnel up automatically.

please help me.

thanks,

Teymor,

You said your tunnels are going thru CONFIG_XAUTH before moving to MM_NO_STATE.

Your problem is that the tunnels are looking for extended authentication.

Please remove your isakmp keys:

no crypto isakmp key xxxxx  address y.y.y.y

no crypto isakmp key xxxx  address x.x.x.x

Add them again with the no-xauth keyword at the end of them:

crypto isakmp key xxxxx  address y.y.y.y no-xauth

crypto isakmp key xxxxx  address x.x.x.x no-xauth

Clear the tunnels and try to start sending traffic:

clear cry isa

clear cry isa

Hope this helps.

Raga

PS: Please remember to mark this question as resolved if this resolved your issue. Thanks.

thanks to reply me. before i do it i want to ask you few question because i confisu something.

when i remove crypto map 65535(which is remote vpn) this problem is not happen.(the tunnels are down then up automatically).

but as you know when i add remote vpn crypto map all of vpn are working perfectly but when both of tunnel or one tunnel down, then the tunnels are not up automatically.

i do not understand the source of problem. why when  i remove crypto map 65335 the tunnels are up automatically after down.

thanks.

i did as you wrote me.

add no no-xauth then clear isakmp sa.

the tunnels are not up automaticcaly. then i delete crypto map from outside interface and write again.

tunnels up automatically.

why i must delete crypto map from the outside interface after that tunnels are up?

when i add no-xauth command i do not need delete remote vpn crypto map(it is super), only delete crypto map from outside interface and then add command again after that tunnels are up.

show cry     session

Interface: GigabitEthernet0/0
Session status: UP-NO-IKE
Peer: 82.x.x.x port 500
  IPSEC FLOW: permit ip 172.27.136.0/255.255.255.0 172.22.22.0/255.255.255.0
        Active SAs: 2, origin: crypto map

Interface: GigabitEthernet0/0
Session status: UP-NO-IKE
Peer: 193.x.x.x port 500
  IPSEC FLOW: permit ip 10.193.115.0/255.255.255.0 10.193.128.0/255.255.254.0
        Active SAs: 2, origin: crypto map

when the tunnels ar down as you see the session status Session status: UP-NO-IKE

please help.