Arun,
Please provide more detail about this and maybe a sample of your configuration. Debug output would definitely be helpful too. Regards, Tyson Scott - CCIE #13513 R&S and Security Technical Instructor - IPexpert, Inc. Telephone: +1.810.326.1444 Cell: +1.248.504.7309 Fax: +1.810.454.0130 Mailto: [email protected] Join our free online support and peer group communities: <http://www.IPexpert.com/communities> http://www.IPexpert.com/communities IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage Lab Certifications. From: [email protected] [mailto:[email protected]] On Behalf Of arun et Sent: Sunday, July 19, 2009 12:59 PM To: [email protected] Subject: Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 37, Issue 21 Dear Group I was trying to do a IPSEC site to site VPN with CISCO IOS CA R1 - R2 - R3 R2 IS THE IOS CA Every thing seems okay , but whenever the interesting traffic passes through the tunnel status will be ACTIVE but the state will be MM_KEY_EXCHANGE , all the traffic will be dropped & after few minutes IKE SA will be down . Can any help me in this ? Regards AET _____ _____ > From: [email protected] > Subject: CCIE_Security Digest, Vol 37, Issue 21 > To: [email protected] > Date: Sun, 19 Jul 2009 12:00:02 -0400 > > Send CCIE_Security mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > http://onlinestudylist.com/mailman/listinfo/ccie_security > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of CCIE_Security digest..." > > > Today's Topics: > > 1. Just a quick tip (Paul Stewart) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 19 Jul 2009 09:50:24 -0400 > From: Paul Stewart <[email protected]> > Subject: [OSL | CCIE_Security] Just a quick tip > To: [email protected] > Message-ID: > <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > My thinking is usually packet oriented. If you are dealing with a tcp > connection failing, I find it is easy to get "just enough" information by > matching on the syn flag. > > access-list 101 permit tcp any any syn > debug ip packet detail 101 > > That is usually yields enough information to see if the device is getting > the packet, if it has been nat'd, and if it responds. Since we are matching > on syn's, it will ignore established connections and no further filtering is > typically necessary. > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: http://onlinestudylist.com/pipermail/ccie_security/attachments/20090719/aaad 9345/attachment-0001.htm > > End of CCIE_Security Digest, Vol 37, Issue 21 > ********************************************* _____ Videos Get the latest video streams on movies, Try it! <http://video.msn.com/?mkt=en-in>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
