do you want to see configuration?

Hello Teymur,

No, I do not want to check that as this is not a configuration problem or at least look like that,

Why cant you run some debugs??? We need that to make this happen...

Now lets restrict the debug to just the VPN we are having problems with

debug crypto condition peer ipv4  x.x.x.x ( Remote IP VPN peer)

debug crypto isakmp

debug crypto ipsec

Let me know the outputs you get

Hi dear jcarvaja.

i do some test.

i delete  crypto map 65535 command for remote vpn then

write clear crypto isakmp sa , the tunnels down after few minutes the tunnel up.

so remote vpn confilict the site to site vpn.

vpn part of configuration.

crypto isakmp policy 1                      ----------------tunnels

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2                         -----------------remote vpn

encr aes

authentication pre-share

group 2

!

crypto isakmp key xxxxx  address y.y.y.y

crypto isakmp key xxxx  address x.x.x.x

crypto isakmp nat keepalive 300

crypto isakmp client configuration group vpncikil

key c1sc0A123!

dns 10.103.70.20 10.103.70.21

domain vtbaze.local

pool ippool

acl 102

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set Router_Ipsec esp-3des esp-sha-hmac               -------tunnel

mode tunnel

crypto ipsec transform-set myset esp-aes esp-sha-hmac                             ---- remote vpn

mode tunnel

crypto map Center client authentication list userauthentication

crypto map Center isakmp authorization list groupauthor

crypto map Center client configuration address respond

crypto map Center 2 ipsec-isakmp

set peer x.x.x.x

set security-association idle-time 86400

set transform-set Router_Ipsec

set pfs group2

match address xiyar

crypto map Center 3 ipsec-isakmp

set peer y.y.y.y

set security-association idle-time 86400

set transform-set Router_Ipsec

set pfs group2

match address sada

crypto map Center 65535 ipsec-isakmp dynamic dynmap

ip access-list standard RA_VPN_Redistribute

permit 192.168.10.0 0.0.0.255

router eigrp 90

network 10.103.74.1 0.0.0.0

network 172.30.30.1 0.0.0.0

redistribute static metric 10000 1 255 1 1500 route-map RA_VPN_Redistribute

!

apply Center to outsdie interface.

Hi. thank you to reply me.Both of vpn(site to site and remote vpn) are working perfectly but

when the tunnels or one the tunnel  down aftre that the tunnels are not up automatically.

when i delete crypto map 65535 which is remote vpn command the tunnel is up automatically.

i paste my configuration above. i want to know why the tunnels are not up after down?when i delete crypto map of remote vpn after that tunnels or tunnel up automatically.

please help me.

thanks,

Teymor,

You said your tunnels are going thru CONFIG_XAUTH before moving to MM_NO_STATE.

Your problem is that the tunnels are looking for extended authentication.

Please remove your isakmp keys:

no crypto isakmp key xxxxx  address y.y.y.y

no crypto isakmp key xxxx  address x.x.x.x

Add them again with the no-xauth keyword at the end of them:

crypto isakmp key xxxxx  address y.y.y.y no-xauth

crypto isakmp key xxxxx  address x.x.x.x no-xauth

Clear the tunnels and try to start sending traffic:

clear cry isa

clear cry isa

Hope this helps.

Raga

PS: Please remember to mark this question as resolved if this resolved your issue. Thanks.

thanks to reply me. before i do it i want to ask you few question because i confisu something.

when i remove crypto map 65535(which is remote vpn) this problem is not happen.(the tunnels are down then up automatically).

but as you know when i add remote vpn crypto map all of vpn are working perfectly but when both of tunnel or one tunnel down, then the tunnels are not up automatically.

i do not understand the source of problem. why when  i remove crypto map 65335 the tunnels are up automatically after down.

thanks.

i did as you wrote me.

add no no-xauth then clear isakmp sa.

the tunnels are not up automaticcaly. then i delete crypto map from outside interface and write again.

tunnels up automatically.

why i must delete crypto map from the outside interface after that tunnels are up?

when i add no-xauth command i do not need delete remote vpn crypto map(it is super), only delete crypto map from outside interface and then add command again after that tunnels are up.

show cry     session

Interface: GigabitEthernet0/0
Session status: UP-NO-IKE
Peer: 82.x.x.x port 500
  IPSEC FLOW: permit ip 172.27.136.0/255.255.255.0 172.22.22.0/255.255.255.0
        Active SAs: 2, origin: crypto map

Interface: GigabitEthernet0/0
Session status: UP-NO-IKE
Peer: 193.x.x.x port 500
  IPSEC FLOW: permit ip 10.193.115.0/255.255.255.0 10.193.128.0/255.255.254.0
        Active SAs: 2, origin: crypto map

when the tunnels ar down as you see the session status Session status: UP-NO-IKE

please help.