[c-nsp] IPSec problems
John Kougoulos
koug at intracom.gr
Tue Sep 28 12:16:47 EDT 2010
Hello,
you can use "show crypto ipsec sa detail" and check the counters.
Maybe you need to increase the "replay window-size". see:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_iarwe.html
If you can't find what is wrong, try also to switch to tunnel mode, just
in case this affects somehow the routers.
Regards,
John
On Tue, 28 Sep 2010, Stephane MAGAND wrote:
> Hi
>
> i have a new problems with my IPSec tunnels ...
>
> Two routers:
>
> Cisco 2821 with AIM connected in FastEthernet at Internet
> Cisco 1721 connected in Adsl.
>
>
> When i ping from 2821 to 1721 and use public internet address no
> problems:
>
> C2821#ping 84.xx.xx.1 size 600 repeat 150
>
> Type escape sequence to abort.
> Sending 150, 600-byte ICMP Echos to 84.xx.xx.1, timeout is 2 seconds:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !!!!!!!!!!
> Success rate is 100 percent (150/150), round-trip min/avg/max = 44/46/68 ms
>
>
> but when i ping using Ipsec tunnel :
>
> C2821#ping vrf VPN003 10.11.12.254 size 600 repeat 150
>
> Type escape sequence to abort.
> Sending 150, 600-byte ICMP Echos to 10.11.12.254, timeout is 2 seconds:
> !!!!!!!!.!!!!!!!!!!!!!!..!!!!..!.!.!!!!.!.!!....!..!!.!!!!!.!!!!!!.!!!
> !!!!!!!!!!!.!.!!!!!.!!.!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!.!!!!.!!!!!!!!!.
> !!!!!!!!.!
> Success rate is 81 percent (122/150), round-trip min/avg/max = 52/58/104 ms
>
>
>
> 20 percent of lost.
>
> Where i can debug the problems ?
>
> thanks
> Stephane
More information about the cisco-nsp
mailing list