[c-nsp] Unable to pass traffic for new vpn connection

Peter Rathlev peter at rathlev.dk
Tue Aug 13 14:25:08 EDT 2013


On Mon, 2013-08-12 at 09:18 -0700, false wrote:
> If I initiate a ping from the Cisco side, it doesn't prompt the tunnel
> to come up. ???? Any ideas?

How do you ping from the Cisco side? You need something with a source
address inside 192.168.3.0/24 to raise the tunnel.

...
> !
> route-map nonat permit 41

Since 41 is an odd starting number: Are there any other elements in this
route-map?

...
> ip route 0.0.0.0 0.0.0.0 50.50.50.x
> ip route 10.1.0.0 255.255.0.0 Tunnel32
> ip route 172.18.1.0 255.255.255.0 192.168.3.254
> ip route 172.18.2.0 255.255.255.0 192.168.3.254
> ip route 172.18.3.2 255.255.255.255 Service-Engine0/0
> ip route 192.168.1.0 255.255.255.0 Tunnel31
> ip route 192.168.2.0 255.255.255.0 Tunnel32
> ip route 192.168.10.0 255.255.255.0 192.168.3.254

Where is 192.168.3.0/24? Reachable via the default or just not shown
here?

> sh cry isa sa
> IPv4 Crypto ISAKMP SA
> dst src state conn-id status
> 50.50.50.1 7.7.7.7 QM_IDLE 1003 ACTIVE
> sh crypto isa sa
> protected vrf: (none)
> local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
> remote ident (addr/mask/prot/port): (192.168.180.0/255.255.255.0/0/0)
> current_peer 7.7.7.7 port 35381
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
> #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

This show that the Cisco device does think it has received any packets
on this SA. And of course, for the test from 192.168.3.0/24, that it
hasn't encountered anything to use the SA on from itself.

-- 
Peter




More information about the cisco-nsp mailing list