VRF and virtual-template are mutually exclusive... R7(conf-isa-prof)#vrf SITE1 % Virtual Template already configured in isakmp profile. VRF not allowed
R7(conf-isa-prof)#virtual-template 1 % VRF already set for isakmp profile. Virtual Template not allowed On Sun, Apr 18, 2010 at 12:03 AM, Kingsley Charles < [email protected]> wrote: > You can't ping from the server right as the client is in client mode not > net ext mode? > > Yes it is routing problem, but the O/Ps seems to correct. > > With regards > Kings > > On Sat, Apr 17, 2010 at 11:56 PM, Tyson Scott <[email protected]>wrote: > >> If you try to ping the client from the loopback what happens. Try >> enabling your debugs for ip packets etc for looking at this. Looks like you >> have a one way routing problem. >> >> >> >> Regards, >> >> >> >> Tyson Scott - CCIE #13513 R&S, Security, and SP >> >> Technical Instructor - IPexpert, Inc. >> >> Mailto: [email protected] >> >> Telephone: +1.810.326.1444, ext. 208 >> >> Live Assistance, Please visit: www.ipexpert.com/chat >> >> eFax: +1.810.454.0130 >> >> >> >> IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, >> Audio Tools, Online Hardware Rental and Classroom Training for the Cisco >> CCIE (R&S, Voice, Security & Service Provider) certification(s) with >> training locations throughout the United States, Europe, South Asia and >> Australia. Be sure to visit our online communities at >> www.ipexpert.com/communities and our public website at www.ipexpert.com >> >> >> >> *From:* [email protected] [mailto: >> [email protected]] *On Behalf Of *Kingsley >> Charles >> *Sent:* Saturday, April 17, 2010 2:00 PM >> *To:* [email protected] >> *Subject:* [OSL | CCIE_Security] Vol 2 > lab 20 > section 4.6 >> >> >> >> I am in lab now >> >> >> >> VRF aware EzVPN >> >> >> >> I have connected vpn client from XP and the tunnel is up. From the >> client, I am trying to ping to 7.7.17.7 i.e., the loopack interface that is >> in VRF SITE1. >> >> >> >> The ping fails. On the client side I see encrypted traffic and on R7, I >> see decrypted. But the reply is not going back. >> >> >> >> Snippet O/Ps >> >> >> >> R7# sh ip route vrf SITE1 >> >> >> >> C 7.7.17.0/24 is directly connected, Loopback17 >> S 7.7.17.102/32 [1/0] via 192.1.49.100, Virtual-Access2 >> >> >> >> >> >> R7#sh crypto ip >> R7#sh crypto ipsec sa >> >> interface: Virtual-Access2 >> Crypto map tag: Virtual-Access2-head-4, local addr 192.1.73.7 >> >> protected vrf: SITE1 >> local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) >> remote ident (addr/mask/prot/port): (7.7.17.102/255.255.255.255/0/0) >> current_peer 192.1.49.100 port 1112 >> PERMIT, flags={origin_is_acl,} >> #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 >> #pkts decaps: 7, #pkts decrypt: 7, #pkts verify: 7 >> >> >> >> >> >> >> >> Any idea? >> >> >> >> >> >> >> >> >> >> With regards >> >> Kings >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
