03-06-2007 12:14 PM - edited 03-09-2019 05:32 PM
Hi, here is the output. Any explanation?
#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Ethernet1
Session status: UP-ACTIVE
Peer: <peer ip address>/500 fvrf: (none) ivrf: (none)
Phase1_id: <peer ip address>
Desc: (none)
IKE SA: local <outside address>/500 remote <peer ip address>/500 Active
Capabilities:CD connid:15 lifetime:21:34:29
IKE SA: local <outside address>/500 remote <peer ip address>/500 Active
Capabilities:CD connid:14 lifetime:13:06:25
IPSEC FLOW: permit ip <inside address>/255.255.252.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 284159 drop 0 life (KB/Sec) 4422709/13337
Outbound: #pkts enc'ed 276100 drop 0 life (KB/Sec) 4432969/13337
03-06-2007 12:31 PM
Hi,
Per this information it seems that we only have 1 phase 1 SA and 1 Phase 2 SA, which is normal. For confirmation, issue the following command :
sh cry isak sa
and check the output. If you have only one SA for the pair of IP addresses, then we are fine. Then you can issue the following command :
sh cry ipsec sa
if we have one SA for each pair of private subnets/networks then we are fine too.
HTH,
Please rate if it helps.
Regards,,
Kamal
03-07-2007 05:16 AM
Hi Kamal
I agree that there is 1 sa for ISAKMP phase. However i believe that for any IPSEC tunnel in phase 2 there will be 2 SAs as these SAs are unidirectional. So for each pair of networks you will have an inbound SA and an outbound SA. Hence the following in the output from original post.
Active SAs: 2, origin: crypto map
HTH
Jon
03-07-2007 05:23 AM
Hi Jon,
That's elementary.
Regards,
Kamal
03-07-2007 05:58 AM
Kamal
No offence intended. I am perfectly sure you were aware of this, i just thought the way you worded it was a little unclear and the original poster might get the wrong idea.
Jon
03-08-2007 06:13 AM
Thanks for the replies. Here is the output from two different sites. Why would one site have two entries and the other one? Is it because the site with two SAa is set up for a two-way converstaion and the site with one SA set up for one-way conversation? What does QM_IDLE imply? No traffic?
Site1# sh crypto isakmp sa
dst src state conn-id slot
Site2#sh crypto isakmp sa
dst src state conn-id slot
03-08-2007 07:17 AM
Hi,
Not sure why you are seeing 2 IKE SAs on one end. It needs troubleshooting so I would suggest you to open a TAC case. As far as QM_IDLE goes, it means that the Quick Mode is up.
HTH,
*Please rate if it helps,
Regards,
Kamal
03-08-2007 07:31 AM
Running debugs after clearing the tunnel would help to figure out this issue.
The reason you are seeing two SA's is this..
Site 1, got another SA request from the remote peer while there was an existing SA but did not match the values sent by Site2.
Thanks
Gilbert
03-08-2007 09:50 AM
Thanks for all of the replies.
Gilbert, the two sites are remotes site both connecting to the same 3K concentrator. They don't communicate between themselves. My fault for not mentioning this.
Also the IPSec VPN technology being used is Easy VPN. Are there IPSec specific logs that can be turned on like EIGRP logs? Thanks.
03-09-2007 08:18 AM
On the Concentrator - If you go to System | Events | Classes - can you add IKE, IKEDBG, IPSEC and IPSECDBG for severities - 1-13 on Event to log option (you need to do it one by one).
After that, go to Monitoring Filterable event log click on "Clear Log"
Let the remote site connect and after you see two ISAKMP SA's - On the concentrator click on the GET LOG button and send the text file.
Will take a look at it.
Thanks
Gilbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: