Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 37, Issue 21

[arun et]

Dear Group                     I was trying to do a IPSEC site to site VPN with 
CISCO IOS CA 

R1 - R2 - R3

R2 IS THE IOS CA

Every thing seems okay , but whenever  the interesting traffic passes through  
the tunnel status will be ACTIVE but the state will be MM_KEY_EXCHANGE , all 
the traffic will be dropped & after few minutes IKE SA will be  down . Can any 
help me in this ?
                                                                        Regards 
                                                                                
               AET                 
                                                        









> From: ccie_security-requ...@onlinestudylist.com
> Subject: CCIE_Security Digest, Vol 37, Issue 21
> To: ccie_security@onlinestudylist.com
> Date: Sun, 19 Jul 2009 12:00:02 -0400
> 
> Send CCIE_Security mailing list submissions to
>       ccie_security@onlinestudylist.com
> 
> To subscribe or unsubscribe via the World Wide Web, visit
>       http://onlinestudylist.com/mailman/listinfo/ccie_security
> or, via email, send a message with subject or body 'help' to
>       ccie_security-requ...@onlinestudylist.com
> 
> You can reach the person managing the list at
>       ccie_security-ow...@onlinestudylist.com
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of CCIE_Security digest..."
> 
> 
> Today's Topics:
> 
>    1. Just a quick tip (Paul Stewart)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 19 Jul 2009 09:50:24 -0400
> From: Paul Stewart <pestew...@gmail.com>
> Subject: [OSL | CCIE_Security] Just a quick tip
> To: ccie_security@onlinestudylist.com
> Message-ID:
>       <69c2ab4c0907190650l39c0a9a2qe6218c2137cc5...@mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> My thinking is usually packet oriented.  If you are dealing with a tcp
> connection failing, I find it is easy to get "just enough" information by
> matching on the syn flag.
> 
> access-list 101 permit tcp any any syn
> debug ip packet detail 101
> 
> That is usually yields enough information to see if the device is getting
> the packet, if it has been nat'd, and if it responds.  Since we are matching
> on syn's, it will ignore established connections and no further filtering is
> typically necessary.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: 
> http://onlinestudylist.com/pipermail/ccie_security/attachments/20090719/aaad9345/attachment-0001.htm
>  
> 
> End of CCIE_Security Digest, Vol 37, Issue 21
> *********************************************

_________________________________________________________________
Missed any of the IPL matches ? Catch a recap of all the action on MSN Videos
http://msnvideos.in/iplt20/msnvideoplayer.aspx
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com