10-25-2005 10:09 AM - edited 02-21-2020 02:03 PM
The current peer showing on the pix is different then the actual peer that
is connected. In my case I have a lab setup as shown in the attached
document. I had all devices up and running and verified the tunnel peers.
The tunnel peers were nvanlabrtr01 and the pix at .250.234. I then added a
second crypto map to the pix for the nvanlabrtr02 s0/1 interface. I then
started to do failover testing by bringing down different interfaces on
the nvanlabrtr03 and 04 routers. I noticed that after returning the test
network to all interfaces up and verifying the tunnel path as being back
through the nvanlabrtr01. That the peer pair was still showing correctly.
I found that the pix reported that its current peer was nvanlabrtr02 s0/1
address. This was strange so I shutdown the nvanlabrtr02 router and
checked again. The pix was still reporting the address of nvanlabrtr02
s0/1 192.168.250.202 as its current peer. This can not be true since the
router is actually shut down. I then shutdown nvanlabrtr04 to ensure that
traffic was only routing via nvanlabrtr01 and nvanlabrtr03. I checked the counters on the ipsec on both the router nvanlabrtr01 and the pix and it
shows them incrementing. I also did a packet sniff and can see that the
traffic between the desired endpoint as being encrypted.
Output from the pix sh crypto ipsec sa and isakmp. The output from the sh
crypto ipsec sa shows address 192.168.250.202 yet the sh crypto isakmp sa shows the source and destination as being the pix and the nvanlabrtr01
The output from the router shows pix at 192.168.250.234 as its current pair
IPSEC: So the output from the ipsec shows pairs that cant exist due to
the its current peer of 192.168.250.202 is shutdown.
ISAKMP: Shows the correct peering
What am I missing here? Is this expected behavior?
-----------------------
NVANLABRTR01 Output:
nvanlabrtr01#sh crypto ipsec sa
interface: Ethernet0/1
Crypto map tag: BLVD-IPSEC, local addr. 192.168.250.194
local ident (addr/mask/prot/port): (192.168.126.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.212.19/255.255.255.255/0/0)
current_peer: 192.168.250.234
local crypto endpt.: 192.168.250.194, remote crypto endpt.:
192.168.250.234
path mtu 1500, ip mtu 1514, ip mtu interface Loopback1
current outbound spi: E00F2FFF
interface: Tunnel1
Crypto map tag: BLVD-IPSEC, local addr. 192.168.250.194
local ident (addr/mask/prot/port): (192.168.126.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.212.19/255.255.255.255/0/0)
current_peer: 192.168.250.234
PERMIT, flags={origin_is_acl,}
current outbound spi: E00F2FFF
interface: Tunnel2
Crypto map tag: BLVD-IPSEC, local addr. 192.168.250.194
local ident (addr/mask/prot/port): (192.168.126.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port):
(192.168.212.19/255.255.255.255/0/0)
current_peer: 192.168.250.234
PERMIT, flags={origin_is_acl,}
------------
nvanlabrtr01#sh crypto isakmp sa
dst src state conn-id slot
192.168.250.234 192.168.250.194 QM_IDLE 1 0
-----------------------------
PIX: Output
interface: outside
Crypto map tag: WSS-HYBRID-IPSEC, local addr. 192.168.250.234
local ident (addr/mask/prot/port):
(192.168.212.19/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (192.168.126.0/255.255.255.0/0/0)
current_peer: 192.168.250.202:500
PERMIT, flags={origin_is_acl,}
-------------------------------
nvanpixint01# sh crypto isakmp sa
Total : 1
Embryonic : 0
dst src state pending created
192.168.250.234 192.168.250.194 QM_IDLE 0 3
11-02-2005 09:08 AM
I guess this might be related to the SA timeouts. It looks like the old IPSec SAs are not timing out. Clear both IPSec and ISAKMP SAs and then try again.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: