troubleshoot the site-to-site vpn Problem

Hi,

i have set up a site-to-site VPN, but has problem which I can not access the network access and network resources between sites.

  1. When I use the command: show isakmp sa

dst sr state pending created abc xyz QM_IDLE 0 0

  1. when I use the command : show crypto engine

active = 0

( I think this command can be used when the link ( network sevice ) is established between sites ).

So : How can I know if the site-to-site VPN is working ( the IPsec tunnel is formed ) ?

How can I know if the network resource is accessed by either of sites ?

Thank you Benson

Reply to
Benson
Loading thread data ...

Hi Benson,

Are you able to ping any devices across the tunnel? Try do an extended ping from one of the routers using your inside interface as the source to the other side or ping from a PC on one side to a PC on the other side.

After you have run the ping, check with "sh crypto ipsec sa" and see if any packets are actually getting encrypted/decrypted - encapsulated/decapsulated.

If you are getting a response from the pings it might be that your MTU or TCP maximum segment size needs to be decreased. Let me know.

Do you have route statements for both networks?

Rob

Reply to
RobO

Hi, Rob,

Do you think from my observation, the IPsec tunnel is formed or not ?

I can not ping any resources in each site, what do you think about the network status ?

Thank you Benson

Reply to
Benson

The tunnel looks to be established depending on how long the ISAKMP SA stays in that state(QM_IDLE). Have you got any routes to either side of the network?

Post your config if you can it will be easier to troubleshoot.

Rob

Reply to
RobO

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.