Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1366
Views
0
Helpful
8
Replies

VPN CONNECTION FAILED BETWEEN Router 1900 Series and Router 4200 Series

aaronmuzira
Level 1
Level 1

‎07-16-2020 12:27 AM

I have a router at Main Office of model: Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M5, RELEASE SOFTWARE (fc2)  which i am trying to create a VPN to a remote site with the following verison" Cisco IOS XE Software, Version 16.06.04
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 16.6.4, RELEASE SOFTWARE (fc3)  

 

What could be the reason as to why the VPN still remained in MM_NO_STATE

Labels:
0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎07-16-2020 12:33 AM

Please provide the full output of the debug, use the command "debug crypto isakmp", perform this on both routers.
Provide the full configuration for review as well.
0 Helpful

aaronmuzira
Level 1
Level 1
In response to Rob Ingram

‎07-20-2020 02:46 AM

I have attached the debug and configs of the remote office router 

Preview file
5 KB
Preview file
1 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to aaronmuzira

‎07-20-2020 02:53 AM

Is there a firewall or ACL on the main office router potentially denying traffic and stopping the remote site from establishing the tunnel?
Can the remote office router ping the IP address of the main office router?
Run debug on the main office router and/or a packet capture to determine whether traffic is even received.
0 Helpful

aaronmuzira
Level 1
Level 1
In response to Rob Ingram

‎07-20-2020 03:03 AM - edited ‎07-20-2020 03:06 AM

Hello Rob,

 

My Main Office router has over 25 remote offices connected and able to communicate to main office. The topology is like this at the main office.   Router (1921 series) >>>> Firewall >>> Internal LAN   

 

On the remote router (4200 Series) the state of the tunnel when i run show crypto isakmp sa  it shows MM_NO_STATE

 

The remote router only stops pinging the public ip of the main office but the LAN is not reachable 

0 Helpful

Rob Ingram
VIP
VIP
In response to aaronmuzira

‎07-20-2020 03:19 AM

So is there an ACL on the main office router's outside/external interface?
I don't understand your last comment, can the remote router ping the public IP address of the mian office router?
Have you run debug and/or packet capture on the main office router to confirm that the remote router is attempting to communicate?
0 Helpful

aaronmuzira
Level 1
Level 1
In response to Rob Ingram

‎07-20-2020 03:37 AM

Yes we have ACLs on the main office router.

Currently the remote router cannot access the main office, the only interface it can ping is the public ip of the main office. 

I have run a debug on the main office router but here is no sign of that specific router connecting or initiating any communication to Main Office router

 

Thank You

0 Helpful

Rob Ingram
VIP
VIP
In response to aaronmuzira

‎07-20-2020 03:51 AM

If there is no communication from the remote site to the main site, then do you have the correct peer IP address for the main site defined in the crypto map of the remote site router?

What does the ACL do on the main router? Does it permit UDP/500, ESP (UDP/4500 if nat) from the remote site public IP address?

Is there another device (router/firewall) in front of the remote site router that could NAT the traffic?
0 Helpful

aaronmuzira
Level 1
Level 1
In response to Rob Ingram

‎07-24-2020 01:33 AM

Hey Rob,

 

1. The correct peer is defined in the crypto map for the remote site.

2. I don't have any ACL permitting UDP/500, ESP (UDP/4500 if nat) directly on both routers. 

3. At the remote site there is no device after the router.

 

Thank You

0 Helpful
Customers Also Viewed These Support Documents