Проблема: IPsec устанавливается, но трафик теряется в зашифрованном туннеле.
Схема сети такая: CE1<->PE4<->PE2<->CE2.
Оборудование: PE - c7206 (c7200-adventerprisek9-mz.122-33.SRC.bin)
Задача: Нужно передать в зашифрованном виде данные между CE1 и CE2.
IP интерфейсы:
CE1(10.0.201.2/30)<->(10.0.201.1/30)PE4(89.208.92.81/29)<->(89.208.92.82/29)PE2(10.0.201.5/30)<->10.0.201.6/30(CE2)

Все необходимые маршруты присуствуют в таблице маршртизации
Без ipsec CE1 пингует CE2 и СE2 пингует CE1.

CE1#ping 10.0.201.6 source 10.0.201.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.201.6, timeout is 2 seconds:
Packet sent with a source address of 10.0.201.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

CE2#ping 10.0.201.2 source 10.0.201.6

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.201.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.201.6
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/8 ms

Конфигурация с IPsec:
PE.test4.c7206.ip################

crypto isakmp policy 9
encr aes
authentication pre-share
lifetime 3600
crypto isakmp key cisco address 89.208.92.2
!
!
crypto ipsec transform-set shifr esp-aes esp-sha-hmac

!
crypto map shifr local-address Loopback0
crypto map shifr 10 ipsec-isakmp
set peer 89.208.92.2
set transform-set shifr
match address 115
!
interface Loopback0
description -- management interface
ip address 89.208.92.4 255.255.255.255
crypto map shifr
!
interface FastEthernet2/0
!
interface FastEthernet2/0.604
description -- to CE1 10.0.101.2
encapsulation dot1Q 604
ip address 10.0.201.1 255.255.255.252
!
interface FastEthernet0/0.599
description -- to PE.test2.c7206
encapsulation dot1Q 599
ip address 89.208.92.81 255.255.255.248
crypto map shifr
!
access-list 115 permit 115 any any log
access-list 115 permit ip 10.0.201.0 0.0.0.255 10.0.201.0 0.0.0.255

PE.test2.c7206.ip router#############

crypto isakmp policy 9
encr aes
authentication pre-share
lifetime 3600
crypto isakmp key cisco address 89.208.92.4
!
!
crypto ipsec transform-set shifr esp-aes esp-sha-hmac
!
crypto map shifr local-address Loopback0
crypto map shifr 10 ipsec-isakmp
set peer 89.208.92.4
set transform-set shifr
match address 115
!
interface Loopback0
ip address 89.208.92.2 255.255.255.255
crypto map shifr
!
interface GigabitEthernet0/1.598
description -- to CE2 10.0.201.6
encapsulation dot1Q 598
ip address 10.0.201.5 255.255.255.252
!
interface GigabitEthernet0/1.599
description -- to PE.test4.c7206.ip
encapsulation dot1Q 599
ip address 89.208.92.82 255.255.255.248
crypto map shifr
!        
access-list 115 permit 115 any any
access-list 115 permit ip 10.0.201.0 0.0.0.255 10.0.201.0 0.0.0.255

##########
смотрим IPsec.
на PE2:
PE.test4.c7206.msk1#clear crypto session
CE1#ping 10.0.201.6 source 10.0.201.2            

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.201.6, timeout is 2 seconds:
Packet sent with a source address of 10.0.201.2
.....
Success rate is 0 percent (0/5)

PE.test4.c7206.msk1#show log
    .....
    пропущено
    .....
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 67
*Mar 23 10:25:23.217: IPSEC(create_sa): sa created,
  (sa) sa_dest= 89.208.92.2, sa_proto= 50,
    sa_spi= 0xC765A6B9(3345327801),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 68
*Mar 23 10:25:23.217:  ISAKMP: Failed to find peer index node to update peer_info_list
*Mar 23 10:25:23.217: ISAKMP (1038): received packet from 89.208.92.2 dport 500 sport 500 Global (R) QM_IDLE      
*Mar 23 10:25:23.217: ISAKMP:(1038):deleting node 623476414 error FALSE reason "QM done (await)"
*Mar 23 10:25:23.217: ISAKMP:(1038):Node 623476414, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
*Mar 23 10:25:23.217: ISAKMP:(1038):Old State = IKE_QM_R_QM2  New State = IKE_QM_PHASE2_COMPLETE
*Mar 23 10:25:23.217: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Mar 23 10:25:23.217: IPSEC(key_engine_enable_outbound): rec'd enable notify from ISAKMP
*Mar 23 10:25:23.217: IPSEC(key_engine_enable_outbound): enable SA with spi 3345327801/50
*Mar 23 10:25:23.217: IPSEC(update_current_outbound_sa): updated peer 89.208.92.2 current outbound sa to SPI C765A6B9

#Напрягает строчка:*Mar 23 10:25:23.217:  ISAKMP: Failed to find peer index node to update peer_info_list
PE.test4.c7206.msk1#show crypto engine connections active
Crypto Engine Connections

   ID Interface       Type  Algorithm           Encrypt  Decrypt IP-Address
   67 Fa0/0.599       IPsec AES+SHA                   0        0 89.208.92.4
   68 Fa0/0.599       IPsec AES+SHA                  75        0 89.208.92.4
1038 Fa0/0.599       IKE   SHA+AES                   0        0 89.208.92.4

PE.test4.c7206.msk1#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection    
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: Loopback0
Session status: UP-ACTIVE    
Peer: 89.208.92.2 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 89.208.92.2
      Desc: (none)
  IKE SA: local 89.208.92.4/500 remote 89.208.92.2/500 Active
          Capabilities:(none) connid:1038 lifetime:00:56:45
  IPSEC FLOW: permit ip 10.0.201.0/255.255.255.0 10.0.201.0/255.255.255.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4519028/3405
        Outbound: #pkts enc'ed 97 drop 0 life (KB/Sec) 4519012/3405
  IPSEC FLOW: permit 115 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  IPSEC FLOW: permit ip 10.0.201.0/255.255.255.0 10.0.201.0/255.255.255.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4519028/3405
        Outbound: #pkts enc'ed 97 drop 0 life (KB/Sec) 4519012/3405
  IPSEC FLOW: permit 115 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

__________

CE2#ping 10.0.201.2 source 10.0.201.6            

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.201.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.201.6
.....
Success rate is 0 percent (0/5)

PE.test2.c7206.msk1#show log

*Mar 23 10:24:28.340: IPSEC(crypto_ipsec_sa_find_ident_head): reconnecting with the same proxies and peer 89.208.92.4
*Mar 23 10:24:28.340: IPSEC(policy_db_add_ident): src 10.0.201.0, dest 10.0.201.0, dest_port 0

*Mar 23 10:24:28.340: IPSEC(create_sa): sa created,
  (sa) sa_dest= 89.208.92.2, sa_proto= 50,
    sa_spi= 0xC765A6B9(3345327801),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 67
*Mar 23 10:24:28.340: IPSEC(create_sa): sa created,
  (sa) sa_dest= 89.208.92.4, sa_proto= 50,
    sa_spi= 0x8541D835(2235684917),
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 68
*Mar 23 10:24:28.340: IPSEC(update_current_outbound_sa): updated peer 89.208.92.4 current outbound sa to SPI 8541D835
*Mar 23 10:24:28.340:  ISAKMP: Failed to find peer index node to update peer_info_list
*Mar 23 10:25:18.056: ISAKMP:(1037):purging node 1791119408
*Mar 23 10:25:18.056: ISAKMP:(1037):purging node -559213745
*Mar 23 10:25:18.340: ISAKMP:(1038):purging node 623476414
*Mar 23 10:25:28.056: ISAKMP:(1037):purging SA., sa=64E05844, delme=64E05844

#Напрягает строчка:*Mar 23 10:24:28.340:  ISAKMP: Failed to find peer index node to update peer_info_list
PE.test2.c7206#                 show crypto engine connections active
Crypto Engine Connections

   ID Interface       Type  Algorithm           Encrypt  Decrypt IP-Address
   67 Lo0             IPsec AES+SHA                   0        0 89.208.92.2
   68 Lo0             IPsec AES+SHA                 152        0 89.208.92.2
1038 Lo0             IKE   SHA+AES                   0        0 89.208.92.2

PE.test2.c7206#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection    
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: Loopback0
Session status: UP-ACTIVE    
Peer: 89.208.92.4 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 89.208.92.4
      Desc: (none)
  IKE SA: local 89.208.92.2/500 remote 89.208.92.4/500 Active
          Capabilities:(none) connid:1038 lifetime:00:54:34
  IPSEC FLOW: permit ip 10.0.201.0/255.255.255.0 10.0.201.0/255.255.255.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4398951/3274
        Outbound: #pkts enc'ed 1119 drop 1 life (KB/Sec) 4398924/3274
  IPSEC FLOW: permit 115 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
  IPSEC FLOW: permit ip 10.0.201.0/255.255.255.0 10.0.201.0/255.255.255.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 4398951/3274
        Outbound: #pkts enc'ed 1119 drop 1 life (KB/Sec) 4398924/3274
  IPSEC FLOW: permit 115 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Кто-нибудь знает почему пропадают пакеты?