I’ve found a number of times that if you have a crypto map that is applied to an interface, changes made to the transform-set that is applied to this interface are not applied instantaneously. So e.g. you have this crypto map:
crypto map MYMAP ipsec-isakmp 10
set peer 18.104.22.168
set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 3600
set transform-set MYSET
set pfs group5
match address MY_INTERESTING_TRAFFIC
Now if you change MYSET, your router may still send out the old MYSET. Solution no1:
- be patient, wait 15 minutes
- clear the crypto map, apply it again
- shut and unshut the interface
So if you’re troubleshooting a broken S2S VPN, make one change, wait 15 minutes, check, if it’s still not working only THEN make another change.
Today I spent 80 minutes in a troubleshooting session with an engineer from the remote end trying one thing after another and nothing worked. We ended the session and set up another one for the next day. I reverted the config to the original settings + made 1 change that should be ok (but it still wasn’t ok! ), went shopping, came back, and it just worked!