Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15813
Views
0
Helpful
10
Replies

There are no ipsec sas

jhaddix385
Level 1
Level 1

‎12-15-2010 04:15 PM - edited ‎02-21-2020 05:02 PM

Below is the running config, any ideas?  Thanks guys for all your help!

ASA Version 7.2(4)
!
hostname yrfw
domain-name default.domain.invalid
enable password GrEDXz.dPpjC/fWV encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 172.16.128.0 FW_SEGMENT
name 192.200.229.0 HRSDNET
name 172.16.32.0 WBFW_SEGMENT
name 172.16.96.0 NSFW_SEGMENT
name 172.16.64.0 VIPFW_SEGMENT
name 172.16.84.0 ATFW_SEGMENT
name 172.16.128.51 YREDS
name 192.168.251.0 VPN
name 192.168.206.0 WIRELESS
!
interface Vlan1
nameif inside
security-level 100
ip address 172.16.128.1 255.255.240.0
!
interface Vlan2
description OUTSIDE
nameif outside
security-level 0
ip address 192.200.229.22 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
object-group service ODBC_WEST_NET tcp-udp
port-object range 1706 1706
object-group service EDS_CLIENTS udp
port-object range 43000 43060
access-list outside_access_in extended permit tcp 192.200.0.0 255.255.0.0 FW_SEGMENT 255.255.240.0 object-group ODBC_WEST_NET
access-list outside_access_in extended permit ip NSFW_SEGMENT 255.255.240.0 FW_SEGMENT 255.255.240.0
access-list outside_access_in extended permit ip WBFW_SEGMENT 255.255.240.0 FW_SEGMENT 255.255.240.0
access-list outside_access_in extended permit ip VIPFW_SEGMENT 255.255.240.0 FW_SEGMENT 255.255.240.0
access-list outside_access_in extended permit udp any object-group EDS_CLIENTS any object-group EDS_CLIENTS
access-list outside_access_in extended permit udp any host YREDS object-group EDS_CLIENTS
access-list outside_access_in extended permit tcp any host YREDS eq www
access-list outside_access_in extended permit tcp any host YREDS eq 9090
access-list outside_access_in remark VNC
access-list outside_access_in extended permit tcp any host YREDS eq 5915
access-list outside_access_in remark VPN
access-list outside_access_in extended permit ip VPN 255.255.255.0 host YREDS
access-list outside_access_in remark WIRELESS
access-list outside_access_in extended permit udp WIRELESS 255.255.255.0 host YREDS object-group EDS_CLIENTS
access-list outside_access_in remark SSH
access-list outside_access_in extended permit tcp any eq ssh host YREDS eq ssh
access-list outside_access_in extended permit tcp 192.168.0.0 255.255.0.0 FW_SEGMENT 255.255.240.0 object-group ODBC_WEST_NET
access-list inside_outbound_nat0_acl extended permit ip FW_SEGMENT 255.255.240.0 192.168.225.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip FW_SEGMENT 255.255.240.0 192.168.225.0 255.255.255.0
pager lines 24
logging enable
logging timestamp
logging trap notifications
logging history notifications
logging asdm informational
logging host outside 192.200.214.169 format emblem
mtu inside 1500
mtu outside 1500
ip local pool VPN 172.16.112.245-172.16.112.250 mask 255.255.240.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit host 192.200.214.169 outside
icmp deny any outside
icmp permit host 192.200.225.50 outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) FW_SEGMENT FW_SEGMENT netmask 255.255.240.0
access-group outside_access_in in interface outside
route outside WBFW_SEGMENT 255.255.240.0 192.200.229.21 1
route outside VIPFW_SEGMENT 255.255.240.0 192.200.229.21 1
route outside NSFW_SEGMENT 255.255.240.0 192.200.229.21 1
route outside 192.168.0.0 255.255.0.0 192.200.229.21 1
route outside WIRELESS 255.255.255.0 192.200.229.21 1
route outside 192.168.225.0 255.255.255.0 192.200.229.21 1
route outside VPN 255.255.255.0 192.200.229.21 1
route outside 192.200.0.0 255.255.0.0 192.200.229.21 1
route outside 192.200.214.0 255.255.255.0 192.200.229.21 1
route outside 0.0.0.0 255.255.255.255 192.200.229.21 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http FW_SEGMENT 255.255.240.0 inside
http 192.200.200.179 255.255.255.255 outside
http 192.200.0.0 255.255.0.0 outside
http 192.200.225.50 255.255.255.255 outside
snmp-server host outside 192.200.214.169 community mute
snmp-server location YRFW
snmp-server contact JHADDIX
snmp-server community mute
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
fragment timeout 10 outside
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 192.200.214.25
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set nat-t-disable
crypto map outside_map interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 1
lifetime 1440
telnet 192.200.214.169 255.255.255.255 outside
telnet timeout 5
ssh 192.200.214.169 255.255.255.255 outside
ssh timeout 5
console timeout 0

ntp server 192.168.225.1 source outside prefer
tftp-server outside 192.200.200.229 /CISCO/FIREWALLS/JR/JR-10.2007.txt
tunnel-group 192.200.214.25 type ipsec-l2l
tunnel-group 192.200.214.25 general-attributes
tunnel-group 192.200.214.25 ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect http
!
service-policy global_policy global
prompt hostname context
compression svc
Cryptochecksum:9a278aa35a8326e01cab0e8d7539b64c
: end

Labels:
0 Helpful
10 Replies 10

Jennifer Halim
Cisco Employee
Cisco Employee

‎12-15-2010 04:20 PM

Sorry, but can you provide more information on where exactly it's failing?

Is phase 1 (IKE) up? "show cry isa sa" output will help to confirm that.

What is the output of "show cry ipsec sa"?

Further to that, you might want to run "debug cry isa" and "debug cry ipsec" to be able to pin point exactly where the issue is.

Just having configuration from 1 side of the VPN tunnel won't help much.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to Jennifer Halim

‎12-15-2010 04:25 PM

Please also kindly follow through all your other posts. It seems that replies were provided, however, the forum never hears back on the result. If you can share if the solution provided has helped you, and also mark the post as answered if it does, this will help others who might have the same issue.

Thank you.

0 Helpful

jhaddix385
Level 1
Level 1
In response to Jennifer Halim

‎12-15-2010 04:27 PM

"There are no ipsec sas" is the message I recieve when I did the show cry for isa and ipsec.  Working on the debugs right now will get them to you in a few.

0 Helpful

jhaddix385
Level 1
Level 1
In response to jhaddix385

‎12-15-2010 04:32 PM

Jen,

     Below is the conf to the other side of the VPN that it will be connecting to, I believe this is the part you're interersted in:

name 192.200.225.20 JRFW
name 192.200.229.22 YRFW
object-group service EDS_UDP udp
  port-object range 43000 43051
object-group service 1024-2048 udp
  port-object range 1024 65535
object-group service ABOVE_1024 tcp
  description APP ports allowed to access ports above 1024
  port-object range 1024 65535
object-group service THICK_CLIENT udp
  port-object range 44000 44100
object-group service EDS_CLIENTS udp
access-list 101 permit ip host 192.200.0.0 host 192.200.214.25
access-list inside_outbound_nat0_acl permit ip INSIDE 255.255.255.0 NPFW_SEGMENT 255.255.240.0
access-list inside_outbound_nat0_acl permit ip INSIDE 255.255.255.0 NSFW_SEGMENT 255.255.240.0
access-list inside_outbound_nat0_acl permit ip INSIDE 255.255.255.0 WBFW_SEGMENT 255.255.240.0
access-list inside_outbound_nat0_acl permit ip INSIDE 255.255.255.0 VIPFW_SEGMENT 255.255.240.0
access-list inside_outbound_nat0_acl permit ip INSIDE 255.255.255.0 ATFW_SEGMENT 255.255.240.0
access-list outside_cryptomap_20 permit ip INSIDE 255.255.255.0 NPFW_SEGMENT 255.255.240.0
access-list outside_cryptomap_20 permit ip INSIDE 255.255.255.0 NSFW_SEGMENT 255.255.240.0
access-list outside_cryptomap_20 permit ip INSIDE 255.255.255.0 WBFW_SEGMENT 255.255.240.0
access-list outside_cryptomap_20 permit ip INSIDE 255.255.255.0 VIPFW_SEGMENT 255.255.240.0
access-list outside_cryptomap_20 permit ip INSIDE 255.255.255.0 ATFW_SEGMENT 255.255.240.0
access-list outside_access_in remark SCADACENTRAL 00:0F:FE:2C:E8:0B
access-list outside_access_in permit ip host SCADACENTRAL host EDS
access-list outside_access_in remark MPOST TEST
access-list outside_access_in permit ip host MPOST host EDS
access-list outside_access_in remark MMP1 00:12:79:DE:F7:5C
access-list outside_access_in permit ip host MMP1 host EDS
access-list outside_access_in remark VPN
access-list outside_access_in permit ip VPN 255.255.255.0 INSIDE 255.255.255.0
access-list outside_access_in remark EDS CLIENTS
access-list outside_access_in permit udp 192.200.0.0 255.255.0.0 object-group 1024-2048 INSIDE 255.255.255.0 object-group EDS_UDP
access-list outside_access_in remark EDS CLIENTS
access-list outside_access_in permit udp WQ_LAB 255.255.255.0 object-group 1024-2048 INSIDE 255.255.255.0 object-group EDS_UDP
access-list outside_access_in remark EDS CLIENTS
access-list outside_access_in permit udp WIRELESS 255.255.255.0 object-group 1024-2048 host EDS object-group EDS_UDP
access-list outside_access_in remark HTTP ALL
access-list outside_access_in permit tcp any INSIDE 255.255.255.0 eq www
access-list outside_access_in remark HTTPS ALL
access-list outside_access_in permit tcp any INSIDE 255.255.255.0 eq https
access-list outside_access_in remark VNC ALL @ 5913
access-list outside_access_in permit tcp any INSIDE 255.255.255.0 eq 5913
access-list outside_access_in remark VNC ALL @ 5900
access-list outside_access_in permit tcp any INSIDE 255.255.255.0 eq 5900
access-list outside_access_in remark ALL TO Oracle Web Service @ 9090
access-list outside_access_in permit tcp any INSIDE 255.255.255.0 eq 9090
access-list outside_access_in remark ALL TCP TO SSH @ 22
access-list outside_access_in permit tcp any INSIDE 255.255.255.0 eq ssh
access-list outside_access_in remark ALL TCP TO Legato Portmapper @ 111 - SUNRPC
access-list outside_access_in permit tcp host CARTEST INSIDE 255.255.255.0 eq sunrpc
access-list outside_access_in remark ALL UDP TO Legato Portmapper @ 111 - SUNRPC
access-list outside_access_in permit udp host CARTEST INSIDE 255.255.255.0 eq sunrpc
access-list outside_access_in remark ALL TCP TO Legato NSREXECD @ 7937
access-list outside_access_in permit tcp host CARTEST INSIDE 255.255.255.0 eq 7937
access-list outside_access_in remark CX3 Navisphere Access
access-list outside_access_in permit ip host CX3_SPA any
access-list outside_access_in remark CX3 Navisphere Access
access-list outside_access_in permit ip host CX3_SPB any
access-list outside_access_in remark EDS "THICK" CLIENTS
access-list outside_access_in permit udp 192.200.0.0 255.255.0.0 object-group 1024-2048 INSIDE 255.255.255.0 object-group THICK_CLIENT
access-list outside_access_in remark EDS THICK CLIENTS - Wireless
access-list outside_access_in permit udp WIRELESS 255.255.255.0 object-group 1024-2048 host EDS object-group THICK_CLIENT
access-list outside_access_in permit udp PLANTS 255.255.0.0 object-group EDS_UDP any object-group EDS_UDP
access-list outside_access_in permit icmp any any
access-list outside_access_in permit udp any object-group EDS_UDP any object-group EDS_UDP
access-list outside_access_in permit udp any any
access-list inside_access_in remark NAT - DO NOT CHANGE!
access-list inside_access_in permit ip any any
pager lines 24
logging on
logging timestamp
logging trap notifications
logging history errors
logging host outside 192.200.214.169 format emblem
icmp permit host 192.200.214.169 outside
icmp permit host 172.68.82.51 outside
icmp permit host 192.200.222.134 outside
icmp permit host ATFW outside
icmp permit host 0.0.0.0 outside
mtu outside 1556
mtu inside 1500
ip address outside 192.200.214.25 255.255.255.0
ip address inside 192.168.225.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.225.211-192.168.225.215
pdm location 192.200.0.0 255.255.255.255 outside
pdm location 192.200.0.0 255.255.0.0 outside
pdm location 192.200.200.0 255.255.255.0 outside
pdm location NPFW_SEGMENT 255.255.255.0 outside
pdm location WBFW_SEGMENT 255.255.255.0 outside
pdm location SCADACENTRAL 255.255.255.255 outside
pdm location MMP1 255.255.255.255 outside
pdm location NPFW 255.255.255.255 outside
pdm location EDS 255.255.255.255 inside
pdm location NPHSR 255.255.255.255 outside
pdm location PLANTS 255.255.0.0 outside
pdm location WBFW 255.255.255.255 outside
pdm location VIPFW 255.255.255.255 outside
pdm location VIPFW_SEGMENT 255.255.255.0 outside
pdm location 192.200.212.0 255.255.255.0 outside
pdm location VIPFW_SEGMENT2 255.255.255.0 outside
pdm location TEST_BGIRARDLT 255.255.255.255 outside
pdm location WIRELESS 255.255.255.0 outside
pdm location VPN 255.255.255.0 outside
pdm location NSFW 255.255.255.255 outside
pdm location CISCO_6509 255.255.255.255 outside
pdm location NS_ROUTER 255.255.255.255 outside
pdm location NSFW_SEGMENT 255.255.255.0 outside
pdm location NS_SEGMENT 255.255.255.0 outside
pdm location NPFW_SEGMENT 255.255.240.0 outside
pdm location NPFW_SEGMENT 255.255.255.255 outside
pdm location INSIDE 255.255.255.0 outside
pdm location VIPFW_SEGMENT 255.255.240.0 outside
pdm location NSFW_SEGMENT 255.255.240.0 outside
pdm location WBFW_SEGMENT 255.255.240.0 outside
pdm location RSW 255.255.255.255 outside
pdm location REMOTE 255.255.255.255 outside
pdm location FA2KAVERITAS 255.255.255.255 outside
pdm location EDSN_1 255.255.255.255 inside
pdm location EDSN_2 255.255.255.255 inside
pdm location KL_LAPTOP 255.255.255.255 outside
pdm location CARTEST 255.255.255.255 outside
pdm location WQ_LAB 255.255.255.0 outside
pdm location CX3_SPA 255.255.255.255 outside
pdm location CX3_SPB 255.255.255.255 outside
pdm location MPOST 255.255.255.255 outside
pdm location 192.200.214.169 255.255.255.255 outside
pdm location NPEDS 255.255.255.255 outside
pdm location ATP 255.255.255.0 outside
pdm location ATFW 255.255.255.255 outside
pdm location 192.168.80.0 255.255.255.0 outside
pdm location ATFW_SEGMENT 255.255.240.0 outside
pdm location 172.16.82.0 255.255.255.0 outside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 2 INSIDE
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 192.168.225.1 192.168.225.1 netmask 255.255.255.255 0 0
static (inside,outside) EDS EDS netmask 255.255.255.255 0 0
static (inside,outside) EDSN_1 EDSN_1 netmask 255.255.255.255 0 0
static (inside,outside) EDSN_2 EDSN_2 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 CISCO_6509 1
route outside NPFW_SEGMENT 255.255.240.0 NPFW 1
route outside WBFW_SEGMENT 255.255.255.0 WBFW 1
route outside VIPFW_SEGMENT 255.255.255.0 VIPFW 1
route outside VIPFW_SEGMENT2 255.255.255.0 VIPFW 1
route outside 172.16.82.0 255.255.255.0 ATFW 1
route outside NSFW_SEGMENT 255.255.255.0 NSFW 1
route outside 172.16.128.0 255.255.255.0 YRFW 1
route outside 192.200.212.0 255.255.255.0 CISCO_6509 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
ntp server 192.168.208.2 source outside prefer
http server enable
http 192.200.0.0 255.255.0.0 outside
http INSIDE 255.255.255.0 inside
snmp-server host outside 192.200.214.169
snmp-server location EDS_SEGMENT
snmp-server contact SWILLIAMS
snmp-server community mute
no snmp-server enable traps
tftp-server outside 192.200.200.229 /CISCO/FIREWALLS/EDS/EDS-10.2007.txt
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 30 set transform-set ESP-3DES-SHA
crypto map outside_map 20 ipsec-isakmp
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer NPFW
crypto map outside_map 20 set peer NSFW
crypto map outside_map 20 set peer WBFW
crypto map outside_map 20 set peer VIPFW
crypto map outside_map 20 set peer ATFW
crypto map outside_map 20 set peer JRFW
crypto map outside_map 20 set peer YRFW
crypto map outside_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client configuration address initiate
crypto map outside_map client configuration address respond
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp key ******** address NPFW netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address WBFW netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address NSFW netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address VIPFW netmask 255.255.255.255 no-xauth no-config-mode
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0 no-config-mode
isakmp key ******** address ATFW netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 1440
isakmp policy 30 authentication pre-share
isakmp policy 30 encryption 3des
isakmp policy 30 hash sha
isakmp policy 30 group 2
isakmp policy 30 lifetime 86400
vpngroup EDS address-pool VPN
vpngroup EDS idle-time 1800
vpngroup EDS secure-unit-authentication
vpngroup EDS password ********
ca identity edsca 192.200.214.25:/CERTSRV/
ca configure edsca ca 1 0
telnet timeout 5
ssh 192.200.0.0 255.255.0.0 outside
ssh timeout 5
console timeout 0
vpdn username mmp password *********
dhcpd auto_config outside
username sshd password nza94obJoHE2Q4SV encrypted privilege 15
username EDS7 password Rv8T0sko/AlhnEOw encrypted privilege 5
terminal width 80
Cryptochecksum:e336237cb9c9778b177a79a7fb64d5f0
: end
EDSFW(config)#

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to jhaddix385

‎12-15-2010 04:40 PM

This configuration seems to be incorrect:

crypto map outside_map 20 set peer NPFW
crypto map outside_map 20 set peer NSFW
crypto map outside_map 20 set peer WBFW
crypto map outside_map 20 set peer VIPFW
crypto map outside_map 20 set peer ATFW
crypto map outside_map 20 set peer JRFW
crypto map outside_map 20 set peer YRFW

Why do you have so many "set peer" for crypto map sequence 20?

I believe you should only have "set peer" to 192.200.229.22 for that particular tunnel, and it's named YRFW. You should only have:

crypto map outside_map 20 set peer YRFW

0 Helpful

jhaddix385
Level 1
Level 1
In response to Jennifer Halim

‎12-15-2010 04:43 PM

Long story, but we have a "spoke and hub" config so the EDSFW firewall has about 5 other IPSEC tunnels going on right.   Hence the reason for the other peers.

Believe me, we are working on doing a complete reconfig next year to a DMVPN unfortunately we have to go with this design for the time being.

Update:  Also I have the debugs running but nothing is showing (I'm connected via SSH).  Should I try to force the connection?  I forget the comman to force phase 1.

0 Helpful

jhaddix385
Level 1
Level 1
In response to jhaddix385

‎12-15-2010 05:00 PM

I did a show crypto protocol stat for all and there are no requests under IPSEC statistics.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to jhaddix385

‎12-15-2010 05:07 PM

I understand that it is a HUB, however, it has been configured incorrectly.

Each remote/spoke needs to have unique LAN to start with, and on the HUB you would need to configure separate crypto map policy for each spoke.

If you have 5 spokes, you would need to configure 5 crypto map policies (and in particular crypto ACL needs to be unique for all the peers).

You can't configure just 1 crypto map policy (currently sequence 20) for all the peers. This is not a supported configuration.

0 Helpful

jhaddix385
Level 1
Level 1
In response to Jennifer Halim

‎12-15-2010 05:22 PM

Thanks Jenn...

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to jhaddix385

‎12-16-2010 12:39 AM

Is it working now?

0 Helpful
Customers Also Viewed These Support Documents