cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1363
Views
0
Helpful
8
Replies

VPN CONNECTION FAILED BETWEEN Router 1900 Series and Router 4200 Series

aaronmuzira
Level 1
Level 1

I have a router at Main Office of model: Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M5, RELEASE SOFTWARE (fc2)  which i am trying to create a VPN to a remote site with the following verison" Cisco IOS XE Software, Version 16.06.04
Cisco IOS Software [Everest], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 16.6.4, RELEASE SOFTWARE (fc3)  

 

What could be the reason as to why the VPN still remained in MM_NO_STATE

8 Replies 8

Please provide the full output of the debug, use the command "debug crypto isakmp", perform this on both routers.
Provide the full configuration for review as well.

I have attached the debug and configs of the remote office router 

Is there a firewall or ACL on the main office router potentially denying traffic and stopping the remote site from establishing the tunnel?
Can the remote office router ping the IP address of the main office router?
Run debug on the main office router and/or a packet capture to determine whether traffic is even received.

Hello Rob,

 

My Main Office router has over 25 remote offices connected and able to communicate to main office. The topology is like this at the main office.   Router (1921 series) >>>> Firewall >>> Internal LAN   

 

On the remote router (4200 Series) the state of the tunnel when i run show crypto isakmp sa  it shows MM_NO_STATE

 

The remote router only stops pinging the public ip of the main office but the LAN is not reachable 

So is there an ACL on the main office router's outside/external interface?
I don't understand your last comment, can the remote router ping the public IP address of the mian office router?
Have you run debug and/or packet capture on the main office router to confirm that the remote router is attempting to communicate?

Yes we have ACLs on the main office router.

Currently the remote router cannot access the main office, the only interface it can ping is the public ip of the main office. 

I have run a debug on the main office router but here is no sign of that specific router connecting or initiating any communication to Main Office router

 

Thank You

If there is no communication from the remote site to the main site, then do you have the correct peer IP address for the main site defined in the crypto map of the remote site router?

What does the ACL do on the main router? Does it permit UDP/500, ESP (UDP/4500 if nat) from the remote site public IP address?

Is there another device (router/firewall) in front of the remote site router that could NAT the traffic?

Hey Rob,

 

1. The correct peer is defined in the crypto map for the remote site.

2. I don't have any ACL permitting UDP/500, ESP (UDP/4500 if nat) directly on both routers. 

3. At the remote site there is no device after the router.

 

Thank You