This license should be fine the SEC-K9 was a requirement for 29xx, 39xx and
4xxx - but 28xx and 38xx just needed the right IOS.
As other have said - you should debug, while sourcing pings from the
interesting source traffic.
Maybe open IP on the ACL to the peer address while you are
Cisco 3825 (revision 1.2) with 487424K/36864K bytes of memory.
Processor board ID FTX1422AH5E
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
500472K bytes of ATA System CompactFlash (Read/Write)
We have others doing a similar VPN, licensed the same, with the same IOS:
On Tue, May 1, 2018 at 11:57 AM, Randy wrote:
> outside-in access-lists allow proto 50, udp 500 and udp4500 if applicable?
>
>
>
>
>
> From: Emille Blanc
--- Begin Message ---
outside-in access-lists allow proto 50, udp 500 and udp4500 if applicable?
From: Emille Blanc
To: Scott Miller
Cc: cisco-nsp
Sent: Tuesday, May 1, 2018
Since no SA shown, basically the VPN's down. If that's the output you get
every time you ran this command, it doesn't even tries.
First, verify you have basic connectivity between the two (ping should be
enough, pay attention to sourcing it from the same local IP, as the VPN).
Which takes us
Forgive the obvious question;
Are your 3800's licensed for IPSEC, and or the grace period hasn't been
exhausted if not?
They require the SECK9 license.
I'd maybe specify the local source-address in your crypto maps. Otherwise,
nothing stands out as erroneous to me.
-Original Message-
Both sides show the same.
cpe-rpa-kal-gw-01#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
cpe-rpa-kal-gw-01#
wtc-mar-gw-01# show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state
Hi Scott,
What state "show cry isa sa" the VPN ends on? Anyhow, your configuration
seems to be correct (I didn't went over the ACLs though, I hope they're
exact mirror of each other), Anything suspicious shows up with "debug cry
isakmp"?
Not passing traffic might be related to your no-nat
I'm trying to create a VPN on two Cisco 3825's, on the same ISP in order to
have access to eachother's network.
On each side, I have them built as follows:
Site WTC Inside network
192.168.1.0/24
192.168.2.0/24
Site RPA Inside network
192.168.3.0/24
192.168.4.0/24
WTC:
crypto isakmp policy 11
On Tue, 1 May 2018 07:15 Erik Sundberg, wrote:
> Here is a follow up to my email thread
>
Thanks for the follow-up info Erik, very helpful!
Cheers,
James.
___
cisco-nsp mailing list cisco-nsp@puck.nether.net
This will be great.
Especially documenting real world scenarios - IS-IS over MACSec, MPLS and
IP. Putting PCAPs is also very good idea.
I'm speaking for myself, but I think many here will agree - such
documentation will really address current state of affairs.
Thank you.
Alex.
בתאריך יום ג׳,
Here is a follow up to my email thread
Cisco release the following 6.3.2 bridge smu containing the following packages.
These package allow the router to handle signed RPM’s. I will assume they will
eventually be up on Cisco CCO website.
asr9k-sysadmin-system-6.3.1.1-r631.CSCvf01652.x86_64
12 matches
Mail list logo