crypto map not working

Discussion in 'Cisco' started by jcharth, Aug 30, 2005.

  1. jcharth

    jcharth Guest

    I just created a map between to routers, i added
    crypto ipsec transform-set
    crypto isakmp key
    and last added the crypto map

    when i do show crypto map session, nothing shows

    do i have to clear the sa and iskmp?

    will everyone get disconnect?

    jcharth, Aug 30, 2005
    1. Advertisements

  2. :I just created a map between to routers, i added
    :crypto ipsec transform-set
    :crypto isakmp key
    :and last added the crypto map

    :when i do show crypto map session, nothing shows

    :do i have to clear the sa and iskmp?

    :will everyone get disconnect?

    You aren't giving us much to go on. Is this a second (or additional)
    crypto map? On the same interface? Or is it the first crypto map?

    I don't know how it works in IOS, but in Cisco PIX when you
    change the ACL that defines a crypto map policy, or when you add
    new crypto map policies, then it is necessary to clear the ipsec SA's
    in order to be -sure- that the new entries will take effect. If you
    do not do the clear, then on the PIX sometimes the changes will take effect
    and sometimes they won't, and sometimes they will give every
    indication as if they had taken effect but they don't actually pass

    If you clear the ipsec SA's, then all IPSec users will have their
    session disconnected... and promptly renegotiated the next time their
    end sends traffic through. I don't know what happens if the session
    had been given a dynamic VPN IP pool address... I've really only
    worked with site-to-site VPNs, and those resume after the clear
    as if nothing had happened.
    Walter Roberson, Aug 31, 2005
    1. Advertisements

  3. jcharth

    dt1649651 Guest

    I think you can try SDM interface of the routers. This web interface
    eases the VPN setup. Then you can run the "debug crypto isakmp" to
    check what's going on.

    If SDM is already setup on your routers, then you can access it by
    http://router-ip or https://router-ip

    dt1649651, Aug 31, 2005
  4. jcharth

    dt1649651 Guest

    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.