ASA 5510 & ASA 5505 VPN

Answered Question

I have an ASA 5510 in HQ (Version 8.0(3)) and an ASA 5505 (Version 8.3(1)) at remote end.  I am utilizing easy vpn.  The vpn works great, but when the VPN is connected the 5510 shows 17 IPSEC connections for this one device.  I look at the 5505, and it is saying 1.


Thanks!

Correct Answer by Jennifer Halim about 7 years 3 weeks ago

Yes, it will create SAs for every subnet you have, one SA pairing with the remote subnet of ASA 5505, and one SA pairing with the peer ip of the remote ASA 5505.


It creates the extra SA pair with the peer ip address of the remote ASA for easy vpn (it's normal in easy vpn). If you configure LAN-to-LAN between the 2 ASAs, it will just be half the number of SAs as there won't be SA created for the peer ip address like in easy vpn tunnel.


Here is the SAs pairing created:

local ident (addr/mask/prot/port): (64.196.6.165/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (172.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (172.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.71.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.71.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (172.30.80.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.80.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (172.30.81.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (172.30.81.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.88.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.88.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Tue, 04/06/2010 - 20:22
User Badges:
  • Green, 3000 points or more

Hi,


I've seen this before with EzVPN (seems to be very persistent).


If you clear the tunnel and bring it iup again, you see the same behavior?

If that's so, can you post both configs?


Federico.

Jennifer Halim Tue, 04/06/2010 - 21:28
User Badges:
  • Cisco Employee,

Is the HQ ASA terminating multiple easyvpn connections? Also, do you have any remote access vpn client terminating on the HQ ASA as well? if they are, then it will be showing multiple IKE/IPSec.

Currently the HQ is only terminating one easyvpn connection (will be more once I get this figured out).


I do have multiple clients terminating to the VPN.


What I want to make clear is the easyvpn connection will make 1 IKE tunnel and 17 IPSEC tunnels, when I pull the plug on the unit, you can see it drop back to a 1-1 on the HQ for the vpn clients.


See attached.

Attachment: 
Jennifer Halim Wed, 04/07/2010 - 05:38
User Badges:
  • Cisco Employee,

Please share the output of "show crypto ipsec sa peer " on the HQ ASA5510.

This is the crypto from the 5510 for the 5505


asa# sh crypto ipsec sa peer 64.196.6.180

peer address: 64.196.6.180

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (64.196.6.165/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 31B990D0


    inbound esp sas:

      spi: 0x7CD49785 (2094307205)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }



          slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28631

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x31B990D0 (834244816)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28631

         IV size: 16 bytes

         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (172.30.20.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0



       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 5724A440


    inbound esp sas:

      spi: 0x23C29273 (599954035)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28632

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x5724A440 (1462019136)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28632

         IV size: 16 bytes



          replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (172.30.20.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 7319F5DD


    inbound esp sas:

      spi: 0xD7E38EE9 (3622014697)



          transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28629

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x7319F5DD (1931081181)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28629

         IV size: 16 bytes

         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (172.30.30.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0



       #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 05C48316


    inbound esp sas:

      spi: 0xF51CFD49 (4112317769)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28628

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x05C48316 (96764694)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP



          sa timing: remaining key lifetime (sec): 28628

         IV size: 16 bytes

         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (172.30.30.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: B3FDC508



              


     inbound esp sas:


      spi: 0x1D3C2C54 (490482772)


         transform: esp-aes esp-sha-hmac none


         in use settings ={RA, Tunnel, }


         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP


         sa timing: remaining key lifetime (sec): 28626


         IV size: 16 bytes


         replay detection support: Y


    outbound esp sas:


      spi: 0xB3FDC508 (3019752712)


         transform: esp-aes esp-sha-hmac none


         in use settings ={RA, Tunnel, }


         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP


         sa timing: remaining key lifetime (sec): 28626


         IV size: 16 bytes


         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0



              


       #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0


      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0


      #pkts compressed: 0, #pkts decompressed: 0


      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0


      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0


      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0


      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 130D6E8E


    inbound esp sas:

      spi: 0x68DFF375 (1759507317)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28625

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x130D6E8E (319647374)

         transform: esp-aes esp-sha-hmac none



          in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28623

         IV size: 16 bytes

         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500



       current outbound spi: C0A94DAC


    inbound esp sas:

      spi: 0x673C5702 (1732007682)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28622

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xC0A94DAC (3232320940)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28622

         IV size: 16 bytes

         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (172.30.71.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:



       dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 2D783439


    inbound esp sas:

      spi: 0xD499DFD9 (3566854105)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28621

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:



       spi: 0x2D783439 (762852409)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28620

         IV size: 16 bytes

         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (172.30.71.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180




      path mtu 1500, ipsec overhead 74, media mtu 1500


      current outbound spi: BCD61AC9


    inbound esp sas:

      spi: 0x76D18AEA (1993444074)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28619

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xBCD61AC9 (3168148169)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28619

         IV size: 16 bytes

         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (172.30.80.0/255.255.255.0/0/0)



       remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 4A4CD1CF


    inbound esp sas:

      spi: 0xCDBFC162 (3451896162)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28619

         IV size: 16 bytes



          replay detection support: Y

    outbound esp sas:

      spi: 0x4A4CD1CF (1246548431)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28618

         IV size: 16 bytes

         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (172.30.80.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0




      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 3B4876DE


    inbound esp sas:

      spi: 0x88488E6A (2286456426)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28617

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x3B4876DE (994604766)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28617

         IV size: 16 bytes

         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165




      local ident (addr/mask/prot/port): (172.30.81.0/255.255.255.0/0/0)


      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


      current_peer: 64.196.6.180, username:


      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 04EBDD5F


    inbound esp sas:

      spi: 0xA5641A72 (2774801010)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP



          sa timing: remaining key lifetime (sec): 28616

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x04EBDD5F (82566495)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28616

         IV size: 16 bytes

         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (172.30.81.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0



       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 148326FE


    inbound esp sas:

      spi: 0x25F19BCA (636591050)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28615

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x148326FE (344139518)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28615

         IV size: 16 bytes

         replay detection support: Y




    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (172.30.88.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: EF7D0BA1


    inbound esp sas:

      spi: 0x3C811E67 (1015094887)

         transform: esp-aes esp-sha-hmac none



          in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28613

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xEF7D0BA1 (4017949601)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28613

         IV size: 16 bytes

         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (172.30.88.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0



       #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 0221694F


    inbound esp sas:

      spi: 0x35D46FD9 (903114713)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28612

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x0221694F (35744079)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28612



          IV size: 16 bytes

         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 27, #pkts encrypt: 27, #pkts digest: 27

      #pkts decaps: 31, #pkts decrypt: 31, #pkts verify: 31

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 27, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 412AC6F8


    inbound esp sas:



       spi: 0xE2254D63 (3794095459)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28610

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x412AC6F8 (1093322488)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28610

         IV size: 16 bytes

         replay detection support: Y


    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165


      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0


      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0



       #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0


      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180


      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: DDE92DD6


    inbound esp sas:

      spi: 0xD67A60FC (3598344444)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28609

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xDDE92DD6 (3723046358)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }



          slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28608

         IV size: 16 bytes

         replay detection support: Y



asa#

Correct Answer
Jennifer Halim Wed, 04/07/2010 - 06:01
User Badges:
  • Cisco Employee,

Yes, it will create SAs for every subnet you have, one SA pairing with the remote subnet of ASA 5505, and one SA pairing with the peer ip of the remote ASA 5505.


It creates the extra SA pair with the peer ip address of the remote ASA for easy vpn (it's normal in easy vpn). If you configure LAN-to-LAN between the 2 ASAs, it will just be half the number of SAs as there won't be SA created for the peer ip address like in easy vpn tunnel.


Here is the SAs pairing created:

local ident (addr/mask/prot/port): (64.196.6.165/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (172.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (172.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.71.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.71.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (172.30.80.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.80.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (172.30.81.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (172.30.81.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.88.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)


local ident (addr/mask/prot/port): (172.30.88.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)


local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

Jennifer Halim Wed, 04/07/2010 - 06:12
User Badges:
  • Cisco Employee,

Unfortunately, it is just the behaviour of easy vpn, as it will show 1 SA for the LAN subnet, and another SA for the peer address.

No, it will not affect the license. IPSec license is based on the number of peers, not the number of SAs.

Actions

This Discussion