Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
796
Views
0
Helpful
2
Replies

SAs flapping on L2L IPSEC tunnel

olighec
Level 1
Level 1

‎12-11-2007 10:30 AM - edited ‎02-21-2020 03:25 PM

Hello,

I have a weird problem that just started happening on a L2L tunnel to one of our remote employees:

I have a Cisco 1841 router here which serves as our local VPN endpoint, and the remote employees have PIX 501s at their homes. We set up L2L IPSEC tunnels between the devices.

Recently, one of the tunnels has started "flapping" the SAs. For example, here is a simple representation of the crypto map:

(Remote LAN) (Local LAN)

172.17.0.0/29 <--> 10.100.10.0/24

172.17.0.0/29 <--> 10.100.20.0/24

172.17.0.0/29 <--> 10.100.201.0/24

172.17.0.0/29 <--> 10.100.209.0/24

172.17.0.0/29 <--> 10.254.1.0/30

When a device behind the PIX 501 (the 172. net) connects to a device in 10.100.209.0, the SA comes up and the connection is established. Then, another device behind the PIX 501 connects to 10.100.201.0 and the SA comes up and the connection is established. But then, say a device behind the PIX 501 tries to connect to another subnet like 10.254.1.0 and that SA comes up, but another goes down, killing his Citrix metaframe session, for example. Then, he redials his Citrix session and his IP phone goes unregistered because the SA for the connection between his phone and the Callmanager goes down.

I will admit that I have very limited experience configuring L2L IPSEC tunnels on Cisco devices, and I am in dire need of some learning on the subject.

For now though, are there any debugging commands I can use that might be able to tell me why the SAs are going up and down and what I can do to correct it?

I have console access to the 1841, I do not have access to the PIX.

Thank you,

Chris

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎12-11-2007 01:53 PM

Hi Chris

Just a quick thought, but when one of the SA's goes down sdo you know how many SA's are in use because there are limits. Is the list of subnets that you have included in your post the complete list ?

Jon

0 Helpful

olighec
Level 1
Level 1
In response to Jon Marshall

‎12-11-2007 02:00 PM

Jon,

No, that is not the complete list, but it was what I had from memory. I have posted the complete list below.

I don't think it is hitting a limit on SA's because his tunnel was solid before for a month or two and we haven't added any new peers or SA's since then. He lost his DSL service briefly, and when it came back up he had a new IP address. I changed the IPSEC and IKE peer addresses to the new address, and the tunnel came back up, but within a few hours, the SA's started flapping.

Here is the output of sh crypto session -- it lists the full crypto maps:

cnc.spokane.1841#sh crypto session

Crypto session current status

Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 71.115.250.xxx port 500

IKE SA: local 67.105.138.xxx/500 remote 71.115.250.xxx/500 Active

IPSEC FLOW: permit ip 10.100.10.0/255.255.255.0 172.17.0.0/255.255.255.248

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 10.100.19.0/255.255.255.0 172.17.0.0/255.255.255.248

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 10.100.29.0/255.255.255.0 172.17.0.0/255.255.255.248

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip host 172.16.0.5 host 172.17.0.5

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip host 172.16.0.13 host 172.17.0.5

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip host 172.31.0.5 host 172.17.0.5

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip host 10.254.1.1 172.17.0.0/255.255.255.248

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 10.100.200.0/255.255.255.0 172.17.0.0/255.255.255.248

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 10.100.201.0/255.255.255.0 172.17.0.0/255.255.255.248

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 10.100.209.0/255.255.255.0 172.17.0.0/255.255.255.248

Active SAs: 2, origin: crypto map

Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 206.63.118.xxx port 500

IKE SA: local 67.105.138.xxx/500 remote 206.63.118.xxx/500 Active

IPSEC FLOW: permit ip 10.100.0.0/255.255.0.0 172.31.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip host 172.17.0.5 host 172.31.0.5

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 172.31.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 10.254.1.0/255.255.255.0 172.31.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

Interface: FastEthernet0/0

Session status: UP-ACTIVE

Peer: 140.239.187.xxx port 500

IKE SA: local 67.105.138.xxx/500 remote 140.239.187.xxx/500 Active

IPSEC FLOW: permit ip 192.168.100.0/255.255.255.0 10.101.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

IPSEC FLOW: permit ip 10.100.200.0/255.255.255.0 10.101.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 10.100.201.0/255.255.255.0 10.101.0.0/255.255.255.0

Active SAs: 2, origin: crypto map

IPSEC FLOW: permit ip 10.100.10.0/255.255.255.0 10.101.0.0/255.255.255.0

Active SAs: 0, origin: crypto map

The tunnel that is having problems is the tunnel with peer 71.115.250.xxx (last octet 'sanitized' for Internet)

0 Helpful
Customers Also Viewed These Support Documents