SAs flapping on L2L IPSEC tunnel

Unanswered Question
Dec 11th, 2007
User Badges:

Hello,


I have a weird problem that just started happening on a L2L tunnel to one of our remote employees:


I have a Cisco 1841 router here which serves as our local VPN endpoint, and the remote employees have PIX 501s at their homes. We set up L2L IPSEC tunnels between the devices.


Recently, one of the tunnels has started "flapping" the SAs. For example, here is a simple representation of the crypto map:


(Remote LAN) (Local LAN)

172.17.0.0/29 <--> 10.100.10.0/24

172.17.0.0/29 <--> 10.100.20.0/24

172.17.0.0/29 <--> 10.100.201.0/24

172.17.0.0/29 <--> 10.100.209.0/24

172.17.0.0/29 <--> 10.254.1.0/30


When a device behind the PIX 501 (the 172. net) connects to a device in 10.100.209.0, the SA comes up and the connection is established. Then, another device behind the PIX 501 connects to 10.100.201.0 and the SA comes up and the connection is established. But then, say a device behind the PIX 501 tries to connect to another subnet like 10.254.1.0 and that SA comes up, but another goes down, killing his Citrix metaframe session, for example. Then, he redials his Citrix session and his IP phone goes unregistered because the SA for the connection between his phone and the Callmanager goes down.


I will admit that I have very limited experience configuring L2L IPSEC tunnels on Cisco devices, and I am in dire need of some learning on the subject.


For now though, are there any debugging commands I can use that might be able to tell me why the SAs are going up and down and what I can do to correct it?


I have console access to the 1841, I do not have access to the PIX.


Thank you,


Chris

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jon Marshall Tue, 12/11/2007 - 13:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Chris


Just a quick thought, but when one of the SA's goes down sdo you know how many SA's are in use because there are limits. Is the list of subnets that you have included in your post the complete list ?


Jon

olighec Tue, 12/11/2007 - 14:00
User Badges:

Jon,


No, that is not the complete list, but it was what I had from memory. I have posted the complete list below.


I don't think it is hitting a limit on SA's because his tunnel was solid before for a month or two and we haven't added any new peers or SA's since then. He lost his DSL service briefly, and when it came back up he had a new IP address. I changed the IPSEC and IKE peer addresses to the new address, and the tunnel came back up, but within a few hours, the SA's started flapping.


Here is the output of sh crypto session -- it lists the full crypto maps:


cnc.spokane.1841#sh crypto session

Crypto session current status


Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 71.115.250.xxx port 500

IKE SA: local 67.105.138.xxx/500 remote 71.115.250.xxx/500 Active

IPSEC FLOW: permit ip 10.100.10.0/255.255.255.0 172.17.0.0/255.255.255.248

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 10.100.19.0/255.255.255.0 172.17.0.0/255.255.255.248

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 10.100.29.0/255.255.255.0 172.17.0.0/255.255.255.248

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip host 172.16.0.5 host 172.17.0.5

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip host 172.16.0.13 host 172.17.0.5

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip host 172.31.0.5 host 172.17.0.5

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip host 10.254.1.1 172.17.0.0/255.255.255.248

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 10.100.200.0/255.255.255.0 172.17.0.0/255.255.255.248

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 10.100.201.0/255.255.255.0 172.17.0.0/255.255.255.248

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 10.100.209.0/255.255.255.0 172.17.0.0/255.255.255.248

Active SAs: 2, origin: crypto map


Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 206.63.118.xxx port 500

IKE SA: local 67.105.138.xxx/500 remote 206.63.118.xxx/500 Active

IPSEC FLOW: permit ip 10.100.0.0/255.255.0.0 172.31.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip host 172.17.0.5 host 172.31.0.5

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 172.31.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 10.254.1.0/255.255.255.0 172.31.0.0/255.255.255.0

Active SAs: 0, origin: crypto map


Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 140.239.187.xxx port 500

IKE SA: local 67.105.138.xxx/500 remote 140.239.187.xxx/500 Active

IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 10.101.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 10.100.200.0/255.255.255.0 10.101.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 10.100.201.0/255.255.255.0 10.101.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 10.100.10.0/255.255.255.0 10.101.0.0/255.255.255.0

Active SAs: 0, origin: crypto map


The tunnel that is having problems is the tunnel with peer 71.115.250.xxx (last octet 'sanitized' for Internet)

Actions

This Discussion