cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1039
Views
0
Helpful
9
Replies

Why does this device have 2 IKE SAs?

mnewnam06
Level 1
Level 1

Hi, here is the output. Any explanation?

#sh crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: Ethernet1

Session status: UP-ACTIVE

Peer: <peer ip address>/500 fvrf: (none) ivrf: (none)

Phase1_id: <peer ip address>

Desc: (none)

IKE SA: local <outside address>/500 remote <peer ip address>/500 Active

Capabilities:CD connid:15 lifetime:21:34:29

IKE SA: local <outside address>/500 remote <peer ip address>/500 Active

Capabilities:CD connid:14 lifetime:13:06:25

IPSEC FLOW: permit ip <inside address>/255.255.252.0 0.0.0.0/0.0.0.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 284159 drop 0 life (KB/Sec) 4422709/13337

Outbound: #pkts enc'ed 276100 drop 0 life (KB/Sec) 4432969/13337

9 Replies 9

Kamal Malhotra
Cisco Employee
Cisco Employee

Hi,

Per this information it seems that we only have 1 phase 1 SA and 1 Phase 2 SA, which is normal. For confirmation, issue the following command :

sh cry isak sa

and check the output. If you have only one SA for the pair of IP addresses, then we are fine. Then you can issue the following command :

sh cry ipsec sa

if we have one SA for each pair of private subnets/networks then we are fine too.

HTH,

Please rate if it helps.

Regards,,

Kamal

Hi Kamal

I agree that there is 1 sa for ISAKMP phase. However i believe that for any IPSEC tunnel in phase 2 there will be 2 SAs as these SAs are unidirectional. So for each pair of networks you will have an inbound SA and an outbound SA. Hence the following in the output from original post.

Active SAs: 2, origin: crypto map

HTH

Jon

Hi Jon,

That's elementary.

Regards,

Kamal

Kamal

No offence intended. I am perfectly sure you were aware of this, i just thought the way you worded it was a little unclear and the original poster might get the wrong idea.

Jon

Thanks for the replies. Here is the output from two different sites. Why would one site have two entries and the other one? Is it because the site with two SAa is set up for a two-way converstaion and the site with one SA set up for one-way conversation? What does QM_IDLE imply? No traffic?

Site1# sh crypto isakmp sa

dst src state conn-id slot

QM_IDLE 1 0

QM_IDLE 19 0

Site2#sh crypto isakmp sa

dst src state conn-id slot

QM_IDLE 9 0

Hi,

Not sure why you are seeing 2 IKE SAs on one end. It needs troubleshooting so I would suggest you to open a TAC case. As far as QM_IDLE goes, it means that the Quick Mode is up.

HTH,

*Please rate if it helps,

Regards,

Kamal

Running debugs after clearing the tunnel would help to figure out this issue.

The reason you are seeing two SA's is this..

Site 1, got another SA request from the remote peer while there was an existing SA but did not match the values sent by Site2.

Thanks

Gilbert

Thanks for all of the replies.

Gilbert, the two sites are remotes site both connecting to the same 3K concentrator. They don't communicate between themselves. My fault for not mentioning this.

Also the IPSec VPN technology being used is Easy VPN. Are there IPSec specific logs that can be turned on like EIGRP logs? Thanks.

On the Concentrator - If you go to System | Events | Classes - can you add IKE, IKEDBG, IPSEC and IPSECDBG for severities - 1-13 on Event to log option (you need to do it one by one).

After that, go to Monitoring Filterable event log click on "Clear Log"

Let the remote site connect and after you see two ISAKMP SA's - On the concentrator click on the GET LOG button and send the text file.

Will take a look at it.

Thanks

Gilbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: