cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
478
Views
0
Helpful
4
Replies

ADSM stats versus "sho ipsec SA summary"

lynne.meeks
Level 1
Level 1

Ok- I am confused and I hate it when that happens!

When I look at our ASA CLI with a "sho ipsec SA summary" I get this:

Current IPSec SA's:

IPSec : 54

IPSec over UDP : 702

IPSec over NAT-T : 64

IPSec over TCP : 908

IPSec VPN LB : 0

Total : 1728

However, at this same exact moment in time, the ADSM reports 862 IPSec sessions

What am I missing here? why are these numbers so different? Seems like the total number of IPSec sessions should be the sum of the TCP, UDP and NAT-T sessions..

Thanks to anyone who can sort this out!

Lynne

4 Replies 4

m.singer
Level 4
Level 4

Use show failover command to troubleshoot your issues. The show failover command displays the dynamic failover information, interface status, and Stateful Failover statistics. The Stateful Failover Logical Update Statistics output appears only when Stateful Failover is enabled. The "xerr" and "rerr" values do not indicate errors in failover, but rather the number of packet transmit or receive errors.

M.singer - I think you replied to the wrong case.

Your comments have nothing to do with the question I raised.

Lynne

Lynne

I believe that I have an explanation that comes pretty close. In the figures that are in your original post the total number of IPSec SAs is 1728. When you consider that an IPSec SA is unidirectional there are 2 SAs for each IPSec session. So divide the number of SAs (1728) by 2 and you get 864.

Given the difficulty of truly executing 2 commands at the exact same instant I believe that it is reasonable that 2 sessions may have stopped (or 2 sessions started) between execution of the first command and execution of the second command which would explain the 864 from one command and 862 from the other.

HTH

Rick

HTH

Rick

Thanks Rick - I'll buy that explaination.

That makes perfect sense, and I agree that with so many sessions my two reports could be off by one or two.

I really appreciate your response-- I do like to understand what it is I am looking at.

Thanks again-Lynne

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: