Current ipsec peer showing different then the actual peer pair?

p.mckay · ‎10-25-2005

The current peer showing on the pix is different then the actual peer that

is connected. In my case I have a lab setup as shown in the attached

document. I had all devices up and running and verified the tunnel peers.

The tunnel peers were nvanlabrtr01 and the pix at .250.234. I then added a

second crypto map to the pix for the nvanlabrtr02 s0/1 interface. I then

started to do failover testing by bringing down different interfaces on

the nvanlabrtr03 and 04 routers. I noticed that after returning the test

network to all interfaces up and verifying the tunnel path as being back

through the nvanlabrtr01. That the peer pair was still showing correctly.

I found that the pix reported that it’s current peer was nvanlabrtr02 s0/1

address. This was strange so I shutdown the nvanlabrtr02 router and

checked again. The pix was still reporting the address of nvanlabrtr02

s0/1 192.168.250.202 as it’s current peer. This can not be true since the

router is actually shut down. I then shutdown nvanlabrtr04 to ensure that

traffic was only routing via nvanlabrtr01 and nvanlabrtr03. I checked the counters on the ipsec on both the router nvanlabrtr01 and the pix and it

shows them incrementing. I also did a packet sniff and can see that the

traffic between the desired endpoint as being encrypted.

Output from the pix sh crypto ipsec sa and isakmp. The output from the sh

crypto ipsec sa shows address 192.168.250.202 yet the sh crypto isakmp sa shows the source and destination as being the pix and the nvanlabrtr01

The output from the router shows pix at 192.168.250.234 as it’s current pair

IPSEC: So the output from the ipsec shows pairs that can’t exist due to

the it’s current peer of 192.168.250.202 is shutdown.

ISAKMP: Shows the correct peering

What am I missing here? Is this expected behavior?

-----------------------

NVANLABRTR01 Output:

nvanlabrtr01#sh crypto ipsec sa

interface: Ethernet0/1

Crypto map tag: BLVD-IPSEC, local addr. 192.168.250.194

local ident (addr/mask/prot/port): (192.168.126.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port):

(192.168.212.19/255.255.255.255/0/0)

current_peer: 192.168.250.234

local crypto endpt.: 192.168.250.194, remote crypto endpt.:

192.168.250.234

path mtu 1500, ip mtu 1514, ip mtu interface Loopback1

current outbound spi: E00F2FFF

interface: Tunnel1

Crypto map tag: BLVD-IPSEC, local addr. 192.168.250.194

local ident (addr/mask/prot/port): (192.168.126.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port):

(192.168.212.19/255.255.255.255/0/0)

current_peer: 192.168.250.234

PERMIT, flags={origin_is_acl,}

current outbound spi: E00F2FFF

interface: Tunnel2

Crypto map tag: BLVD-IPSEC, local addr. 192.168.250.194

local ident (addr/mask/prot/port): (192.168.126.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port):

(192.168.212.19/255.255.255.255/0/0)

current_peer: 192.168.250.234

PERMIT, flags={origin_is_acl,}

------------

nvanlabrtr01#sh crypto isakmp sa

dst src state conn-id slot

192.168.250.234 192.168.250.194 QM_IDLE 1 0

-----------------------------

PIX: Output

interface: outside

Crypto map tag: WSS-HYBRID-IPSEC, local addr. 192.168.250.234

local ident (addr/mask/prot/port):

(192.168.212.19/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (192.168.126.0/255.255.255.0/0/0)

current_peer: 192.168.250.202:500

PERMIT, flags={origin_is_acl,}

-------------------------------

nvanpixint01# sh crypto isakmp sa

Total : 1

Embryonic : 0

dst src state pending created

192.168.250.234 192.168.250.194 QM_IDLE 0 3

Report Inappropriate Content · ‎11-02-2005

I guess this might be related to the SA timeouts. It looks like the old IPSec SAs are not timing out. Clear both IPSec and ISAKMP SAs and then try again.