12-08-2008 12:08 PM - edited 02-21-2020 03:09 AM
Ok- I am confused and I hate it when that happens!
When I look at our ASA CLI with a "sho ipsec SA summary" I get this:
Current IPSec SA's:
IPSec : 54
IPSec over UDP : 702
IPSec over NAT-T : 64
IPSec over TCP : 908
IPSec VPN LB : 0
Total : 1728
However, at this same exact moment in time, the ADSM reports 862 IPSec sessions
What am I missing here? why are these numbers so different? Seems like the total number of IPSec sessions should be the sum of the TCP, UDP and NAT-T sessions..
Thanks to anyone who can sort this out!
Lynne
12-12-2008 02:46 PM
Use show failover command to troubleshoot your issues. The show failover command displays the dynamic failover information, interface status, and Stateful Failover statistics. The Stateful Failover Logical Update Statistics output appears only when Stateful Failover is enabled. The "xerr" and "rerr" values do not indicate errors in failover, but rather the number of packet transmit or receive errors.
12-15-2008 05:24 AM
M.singer - I think you replied to the wrong case.
Your comments have nothing to do with the question I raised.
Lynne
12-15-2008 02:28 PM
Lynne
I believe that I have an explanation that comes pretty close. In the figures that are in your original post the total number of IPSec SAs is 1728. When you consider that an IPSec SA is unidirectional there are 2 SAs for each IPSec session. So divide the number of SAs (1728) by 2 and you get 864.
Given the difficulty of truly executing 2 commands at the exact same instant I believe that it is reasonable that 2 sessions may have stopped (or 2 sessions started) between execution of the first command and execution of the second command which would explain the 864 from one command and 862 from the other.
HTH
Rick
12-16-2008 04:47 AM
Thanks Rick - I'll buy that explaination.
That makes perfect sense, and I agree that with so many sessions my two reports could be off by one or two.
I really appreciate your response-- I do like to understand what it is I am looking at.
Thanks again-Lynne
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: