We have a GETVPN network established for one client. Everything related to encryption works fine between group members (IKE phase 1 and 2). Our client request us to monitor all active VPN tunnels in all group members, so we decided to check cipSecGlobalActiveTunnels in all group members to verify all active ipsec sessions between GM's. the problem is when we check cipSecGlobalActiveTunnels when no ipsec session is established (i.e ISAKMP and IPSEC are disabled) the SNMP object returns a nonzero value, returns "2". IT means two ipsec active sessions, but no IPSEc sessions is established when we check on CLI.
FIrst i thought it may be a software bug, but we have an identical solution for other customer, monitoring the same SNMP object and the SNMP object returns the correct value when IPSEC is disabled (returns "0" active tunnles) and is a GETVPN infraestructure too. We compared the IOS from routers on different solutions and is the same:
when IPSEC and ISAKMP is enabled, and IPSEC sessions are active, the SNMP returns again the total of ipsec active sessions plus 2. but in the other solution shows just the total of ipsec active sessions.
both solutions diffres only in Phase 1 authentication ( odd one uses Certificates and normal one uses PSK)
It could be due to a problem in the clearing of a previous IPSec tunnel. If there is an error reporting a tunnel
termination, then the stats counter is not properly decremented. There was also a bug in which the "clear crypto session" command did not return this object to a zero value (but that bug could never be reproduced internally). If you enable "debug crypto mib error" and "debug crypto mib detail", any future problems decrementing the active tunnel counter should be seen in the router log. However, you may not want that extra overhead. In any event, a reboot will return the object to zero. If you find you are able to reliably reproduce this problem, opening a TAC service request would be a good idea. You can point your engineer to CSCsl16701 which describes the "clear crypto session" issue.
Finally i performed the test you recommended on one router with IPSEC SNMP issues, First i enabled debug crypto mib error and debug crypto mib detail commands and verified the results after disabling crypto map on the interface. The logs shows entries like this:
Jan 28 17:56:14.404: crypto_index_array_add:ipsec_fail: vrf_id:0 | ring index:263 Jan 28 17:56:14.404: crypto_index_array_add:ipsec_fail: Index at which vrf_id is inserted:199 Jan 28 17:56:14.404: crypto_index_array_add:ipsec_fail: Value of index in array at index (199): 263 Jan 28 17:56:14.404: scmIPSecTunnelTerminated: Default context, vdi_ptr=gdi_ptr=1701701816/1701701816 Jan 28 17:56:14.404: IPSec active tunnels: 24,IPSec previous tunnels: 264
the IPsec active tunnels begins with 26 and ends witth 2 active tunnels. After the crypto map is enabled, the log entry shows:
Jan 28 18:00:46.932: IPSec active tunnels : 3 notify_mib_ipsec_tunnel_activation: peer has vdi ptr set 0x656DE8B8 scmIpSecTunnelCreated (IKE SA:32)
an 28 18:00:46.956: scmIPSecTunnelCreated: Default context, vdi_ptr=gdi_ptr=1701701816/1701701816 Jan 28 18:00:46.956: IPSec active tunnels : 26 notify_mib_ipsec_tunnel_activation: peer has vdi ptr set 0x656DE8B8 scmIpSecTunnelCreated (IKE SA:32) ...new ipsidx:310
again, in the router mib appears 26 IPSEC tunnels, but manually checking on the router, it only shows 24 IPSEC tunnels.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...