http://globalconfig.net/ccie-security/hit-a-wall-easyvpn-problems/ Studying for Network Certifications Thu, 01 Dec 2011 17:41:40 +0000 hourly 1 http://wordpress.org/?v=3.3.1 http://globalconfig.net/ccie-security/hit-a-wall-easyvpn-problems/#comment-82 Joey Boyer Wed, 06 Aug 2008 17:06:28 +0000 http://cciestudy.brandonjcarroll.com/2008/08/05/hit-a-wall-easyvpn-problems/#comment-82 <p>Stretch is on the right track afaik. If it hasn't cleared itself by the time you get back to it you may want to shut the tunnels, clear crypto, wait a few and open the tunnels back up. Usually does the trick...</p> Stretch is on the right track afaik. If it hasn’t cleared itself by the time you get back to it you may want to shut the tunnels, clear crypto, wait a few and open the tunnels back up. Usually does the trick…

]]> http://globalconfig.net/ccie-security/hit-a-wall-easyvpn-problems/#comment-81 Brandon Wed, 06 Aug 2008 13:24:36 +0000 http://cciestudy.brandonjcarroll.com/2008/08/05/hit-a-wall-easyvpn-problems/#comment-81 <p>@stretch Thanks for that stretch. I'm gonna jump back on the racks as soon as I get into the office and see what goes. its weird that an IKEDBG shows phase 1 looking ok but absolutley NOTHING for phase 2.</p> @stretch Thanks for that stretch. I’m gonna jump back on the racks as soon as I get into the office and see what goes. its weird that an IKEDBG shows phase 1 looking ok but absolutley NOTHING for phase 2.

]]> http://globalconfig.net/ccie-security/hit-a-wall-easyvpn-problems/#comment-80 stretch Wed, 06 Aug 2008 08:05:56 +0000 http://cciestudy.brandonjcarroll.com/2008/08/05/hit-a-wall-easyvpn-problems/#comment-80 <p>Just a shot in the dark, but it could be that the local and remote peers had an ISAKMP SA established at one point and the local peer tore it down uncleanly for whatever reason. The remote peer, thinking it still has an active SA, continues to send ISAKMP traffic to the local peer. So when the local peer receives an ISAKMP packet even though it doesn't currently have an SA with that peer, it goes "WTF, mate?" and drops it.</p> Just a shot in the dark, but it could be that the local and remote peers had an ISAKMP SA established at one point and the local peer tore it down uncleanly for whatever reason. The remote peer, thinking it still has an active SA, continues to send ISAKMP traffic to the local peer. So when the local peer receives an ISAKMP packet even though it doesn’t currently have an SA with that peer, it goes “WTF, mate?” and drops it.

]]>