cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1057
Views
0
Helpful
2
Replies

Site to site VPN phase 2 error

oladapo20
Beginner
Beginner

Dear All,

we have a site to site VPN with a partner, we need to access three different hosts on the partner's network. The Phase 1 came but there is issue with phase 2 out of three hosts we can only connected with one host others are not connected and they all shared same parameters.

Below is  show ip access list shown matched packet  but connection to hosts were not successful

With show crypto ipsec sa I saw send error and i don't know what might be responsible for it.

Any body who might be wrong please help me out am exhausted.

 access-list

10 permit ip host 4.2.3.1 host 4.2.6.22 (647594 matches)
 20 permit ip host 4.2.3.14 host 4.2.6.64 (47794 matches)
 30 permit ip host 41.2.3.37 host 41.2.6.76 (581720 matches)

show crypto ipsec sa

 local  ident (addr/mask/prot/port): (41.2.3.37/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (4.2.6.76/255.255.255.255/0/0)
   current_peer 4.2.6.24 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 198, #recv errors 0

     local crypto endpt.: 4.2.3.16, remote crypto endpt.: 4.2.6.24
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   local  ident (addr/mask/prot/port): (4.2.3.14/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (4.2.6.64/255.255.255.255/0/0)
   current_peer 4.2.6.24 port 500
     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 508, #recv errors 0

     local crypto endpt.: 4.2.3.16, remote crypto endpt.: 4.2.6.24
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

 

 

 

 

 

1 Accepted Solution

Accepted Solutions

Ruben Cocheno
Spotlight
Spotlight

Edit: can you post the config from both sides of the tunnel? If not recheck one more time the configs from both sides

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

View solution in original post

2 Replies 2

Ruben Cocheno
Spotlight
Spotlight

Edit: can you post the config from both sides of the tunnel? If not recheck one more time the configs from both sides

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Thanks for your suggestion. pfs was enabled at the remote site

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: