I've two sites (SG & KL) running with Cisco router and connected with an ipsec tunnel. Recently, there's a new subnet created in 'KL'. I've modified the crypto acl, include the new subnet in both router setting. Unfortunately, SG's workstation failed to connect to the new subnet of 'KL'. Then I checked both router crypto map status, it said isakmp SA is failed to established.
Under existing tunnel setting, both subnets are under the same isakmp & ipsec profile, as well as same secret key. Why does the new subnet SA can't be established but the old subnet does work without any problem ? Any thought ?
For my understanding, both routers will negotiate and exchanged local network parameters, if both parameters & profile are matched, the SA will be established. Will these routers attempt to connect to the new subnet during SA negotiation ? As the new subnet is connected to another router device behind the lan, the router may not have the access during negotiation stage. would it be the cause ? I only want to ensure the SA will be established and I'll troubleshoot the connectivity issue later.
Below are 'sh cry isakmp output' & two routers configuration for your reference :
SGoff1#sh cry isa sa dst src state conn-id slot126.96.36.199 188.8.131.52 MM_NO_STATE 155 0 (deleted) 184.108.40.206 220.127.116.11 QM_IDLE 156 0
SG router:- crypto isakmp key xxxxx address 18.104.22.168
crypto map KLoff1 1 ipsec-isakmp set peer 22.214.171.124 set transform-set esp-3des-sha match address KL-SG
interface FastEthernet0/0 description Outside ip address 126.96.36.199 255.255.255.128 crypto map YNRVPN28501 ! interface FastEthernet0/1 description Outside ip address 192.168.146.1 255.255.255.0 crypto map YNRVPN28501
ip access-list extended KL-SG permit ip 192.168.146.0 0.0.0.255 host 188.8.131.52