troubleshoot the site-to-site vpn Problem

Discussion in 'Cisco' started by Benson, Apr 27, 2005.

  1. Benson

    Benson Guest

    Hi,

    i have set up a site-to-site VPN, but has problem which I can not
    access the network access and network resources between sites.

    1. When I use the command: show isakmp sa

    dst sr state pending created
    abc xyz QM_IDLE 0 0


    2. when I use the command : show crypto engine

    active = 0

    ( I think this command can be used when the link ( network sevice ) is
    established between sites ).

    So :
    How can I know if the site-to-site VPN is working ( the IPsec tunnel
    is formed ) ?

    How can I know if the network resource is accessed by either of sites
    ?

    Thank you
    Benson
    Benson, Apr 27, 2005
    #1
    1. Advertising

  2. Benson

    RobO Guest

    Hi Benson,

    Are you able to ping any devices across the tunnel?
    Try do an extended ping from one of the routers using your inside
    interface as the source to the other side or ping from a PC on one side
    to a PC on the other side.

    After you have run the ping, check with "sh crypto ipsec sa" and see if
    any packets are actually getting encrypted/decrypted -
    encapsulated/decapsulated.

    If you are getting a response from the pings it might be that your MTU
    or TCP maximum segment size needs to be decreased.
    Let me know.

    Do you have route statements for both networks?

    Rob
    RobO, Apr 27, 2005
    #2
    1. Advertising

  3. Benson

    Benson Guest

    Hi, Rob,

    Do you think from my observation, the IPsec tunnel is formed or not ?

    I can not ping any resources in each site, what do you think about the
    network status ?

    Thank you
    Benson



    (Benson) wrote in message news:<>...
    > Hi,
    >
    > i have set up a site-to-site VPN, but has problem which I can not
    > access the network access and network resources between sites.
    >
    > 1. When I use the command: show isakmp sa
    >
    > dst sr state pending created
    > abc xyz QM_IDLE 0 0
    >
    >
    > 2. when I use the command : show crypto engine
    >
    > active = 0
    >
    > ( I think this command can be used when the link ( network sevice ) is
    > established between sites ).
    >
    > So :
    > How can I know if the site-to-site VPN is working ( the IPsec tunnel
    > is formed ) ?
    >
    > How can I know if the network resource is accessed by either of sites
    > ?
    >
    > Thank you
    > Benson
    Benson, Apr 28, 2005
    #3
  4. Benson

    RobO Guest

    The tunnel looks to be established depending on how long the ISAKMP SA
    stays in that state(QM_IDLE).
    Have you got any routes to either side of the network?

    Post your config if you can it will be easier to troubleshoot.

    Rob
    RobO, Apr 28, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve Richter

    troubleshoot port forwarding problem

    Steve Richter, May 9, 2005, in forum: Cisco
    Replies:
    3
    Views:
    2,408
  2. Dirk Westfal
    Replies:
    5
    Views:
    8,976
    Dirk Westfal
    Mar 14, 2006
  3. Jeff J

    Can anyone help troubleshoot this Windows problem?

    Jeff J, Apr 30, 2004, in forum: Computer Information
    Replies:
    8
    Views:
    401
  4. Masterx81
    Replies:
    1
    Views:
    491
    Masterx81
    Mar 8, 2007
  5. pasatealinux
    Replies:
    1
    Views:
    1,999
    pasatealinux
    Dec 17, 2007
Loading...

Share This Page