Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
747
Views
0
Helpful
1
Replies

VPN Proble - show crypto isa sa show nothing

derar1990
Level 1
Level 1

‎11-12-2018 10:03 AM - edited ‎03-12-2019 05:31 AM

Hello,

 

I need an urgent help, i have a vpn connection between Cisco router and Microsoft azure, I can ping the azure dns server but the show crypto commands shows nothing, the configuration for my VPN as follow:

crypto ikev2 proposal IKE-PROP-AZURE
encryption aes-cbc-256 aes-cbc-128 3des
integrity sha256
group 2
!
crypto ikev2 policy IKE-POLICY-AZURE
proposal IKE-PROP-AZURE
!
crypto ikev2 keyring KEYRING-AZURE
peer 52.236.X.X
address 52.236.X.X
pre-shared-key XXXXXX
!
!
!
crypto ikev2 profile PROFILE-PH1-AZURE
match address local interface GigabitEthernet0/0
match identity remote address 52.236.X.X 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local KEYRING-AZURE
!
!
!
!
!
crypto ipsec transform-set TRANSFORM-AZURE esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto ipsec profile PROFILE-PH2-AZURE
set transform-set TRANSFORM-AZURE
set ikev2-profile PROFILE-PH1-AZURE
!
!
interface Tunnel3
ip address 169.254.0.1 255.255.255.0
ip tcp adjust-mss 1350
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination 52.236.X.X
tunnel protection ipsec profile PROFILE-PH2-AZURE
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Wan Connection
ip address 213.186.X.X 255.255.255.248
ip access-group 199 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 192.168.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 102 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 213.186.X.X
ip route 10.0.0.0 255.0.0.0 Tunnel3
ip route 192.168.6.0 255.255.255.0 192.168.5.2
!
!
!
access-list 101 permit ip 192.168.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 deny ip 192.168.5.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 102 permit ip 192.168.5.0 0.0.0.255 any
access-list 199 deny ip 192.168.10.0 0.0.0.255 any log
access-list 199 deny ip 127.0.0.0 0.255.255.255 any log
access-list 199 deny ip 10.0.0.0 0.255.255.255 any log
access-list 199 deny ip 0.0.0.0 0.255.255.255 any log
access-list 199 deny ip 172.16.0.0 0.15.255.255 any log
access-list 199 deny ip 192.168.0.0 0.0.255.255 any log
access-list 199 deny ip 192.0.2.0 0.0.0.255 any log
access-list 199 deny ip 169.254.0.0 0.0.255.255 any log
access-list 199 deny ip 224.0.0.0 31.255.255.255 any log
access-list 199 deny ip host 255.255.255.255 any log
access-list 199 permit ip any any log
access-list 199 deny ip any any log

 

 

#show crypto isa sa ipsec sa

interface: Tunnel3
Crypto map tag: Tunnel3-head-0, local addr 213.186.X.X

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 52.236.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 29488, #pkts encrypt: 29488, #pkts digest: 29488
#pkts decaps: 38548, #pkts decrypt: 38548, #pkts verify: 38548
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 213.186.X.X, remote crypto endpt.: 52.236.X.X
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xCDCA246C(3452576876)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xB94F10D1(3108966609)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3352, flow_id: Onboard VPN:1352, sibling_flags 80000040, crypto map: Tunnel3-head-0
sa timing: remaining key lifetime (k/sec): (4178956/1218)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xCDCA246C(3452576876)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3351, flow_id: Onboard VPN:1351, sibling_flags 80000040, crypto map: Tunnel3-head-0
sa timing: remaining key lifetime (k/sec): (4179473/1218)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

 

#show crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status

IPv6 Crypto ISAKMP SA

 

What is the missing in my configuration ??? notice that if i shutdown the tunnel 3 interface i lost the ping with the azure server? and i don't know how the connection up but the show commands doesn't show anything.

Labels:
0 Helpful
1 Reply 1

JP Miranda Z
Cisco Employee
Cisco Employee

‎11-15-2018 05:11 PM

Hi derar1990,

 

sh cry isa sa is a command used to see an IKEv1 tunnel, try running sh cry ikev2 sa.

 

 Hope this info helps!!

 

Rate if helps you!! 

 

-JP- 

0 Helpful
Customers Also Viewed These Support Documents