Hi Kings, Yes L3 reachability was fine. I had a default route on the client learned OSPF and could ping the server. I also tried with a default route learned via EIGRP. If I change nothing else except making the default route on the client static or add a static host route to the server it works. Note no changes were made to transit devices. Go figure!
On 3/14/12, Kingsley Charles <[email protected]> wrote: > Route learnt from any source should work. You should make sure that, the > router in between who is generating the route using IGP should have a route > to the server. > > Were you able to ping from client to the server using that those routes > when you were not able to connect? > > With regards > Kings > > On Tue, Mar 13, 2012 at 7:14 AM, Joe Astorino > <[email protected]>wrote: > >> Some more interesting information: If I add a static default route >> instead of one learned via an IGP it works perfectly. Strange >> stuff!!! Maybe EZVPN remote just expects and demands that you have a >> static default route to your ISP. >> >> On Mon, Mar 12, 2012 at 9:29 PM, Joe Astorino <[email protected]> >> wrote: >> > I have run into an interesting problem and was wondering if you guys >> > have seen this before or know why it happens. I have EZVPN remote >> > configured on a router. This EZVPN remote client has a default route >> > learned via EIGRP. Everytime I tried to initiated an ezvpn connection >> > it would immediately fail, saying the IPSEC session was terminated. >> > "debug crypto isakmp" on the server showed it was passing IKE phase 1 >> > and the server was sending it an XAUTH request....the client never >> > responded to that request because it had terminated the session before >> > the request made it there. >> > >> > The interesting things is this: a "debug crypto ipsec client ezvpn" >> > on the client end reveals immediately after attempting to start the >> > session: EZVPN(EZVPN): No route to peer 200.0.23.3, resetting the >> > connection >> > >> > 200.0.23.3 in this case is the EZVPN server. Like I said, I have a >> > default route learned via EIGRP from an upstream device and 200.0.23.3 >> > is pingable. Now for the real fun -- If I add a host route for >> > 200.0.23.3, everything works :) Any ideas? >> > >> > >> > -- >> > Regards, >> > >> > Joe Astorino >> > CCIE #24347 >> > http://astorinonetworks.com >> > >> > "He not busy being born is busy dying" - Dylan >> >> >> >> -- >> Regards, >> >> Joe Astorino >> CCIE #24347 >> http://astorinonetworks.com >> >> "He not busy being born is busy dying" - Dylan >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > -- Sent from my mobile device Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
