02-17-2009 10:31 AM - edited 02-21-2020 03:17 AM
Ok I can only think that my peer is using some sort of load balancing or something. But basically if you notice the info below for some reason there are 2 IPSEC flow's for each network. The data session dies when 1 of the IPsec flows timer expires until the other IPsec flow timer expires. After renegotiation Im good for about 57 minutes until the process repeats itself. Any suggestions is greatly appreciated. This is on a 7206 btw.
Peer: P.P.P.P/500 fvrf: (none) ivrf: (none)
Phase1_id: P.P.P.P
Desc: (none)
IKE SA: local ME.ME.ME.ME/500 remote P.P.P.P/500 Active
Capabilities:(none) connid:35 lifetime:19:08:44
IKE SA: local ME.ME.ME.ME/500 remote P.P.P.P/500 Active
Capabilities:(none) connid:36 lifetime:19:08:44
IPSEC FLOW: permit ip 10.6.0.0/255.255.0.0 host 10.10.0.97
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 7149 drop 0 life (KB/Sec) 4511491/3284
Outbound: #pkts enc'ed 8415 drop 1 life (KB/Sec) 4512254/3284
IPSEC FLOW: permit ip 10.6.0.0/255.255.0.0 host 10.10.0.97
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 222 life (KB/Sec) 4534552/3104
Outbound: #pkts enc'ed 222 drop 0 life (KB/Sec) 4534662/3104
IPSEC FLOW: permit ip host 10.2.2.65 host 10.10.0.97
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 1253 drop 0 life (KB/Sec) 4390063/3254
Outbound: #pkts enc'ed 1023 drop 2 life (KB/Sec) 4390036/3254
IPSEC FLOW: permit ip host 10.2.2.65 host 10.10.0.97
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 143 life (KB/Sec) 4428727/3103
Outbound: #pkts enc'ed 143 drop 0 life (KB/Sec) 4428744/3103
02-17-2009 10:45 AM
Here is the config too.
sh run
Building configuration...
Current configuration : 3729 bytes
!
! Last configuration change at 15:45:05 CST Thu Feb 12 2009
! NVRAM config last updated at 11:31:25 CST Thu Feb 12 2009
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname cisco
!
boot-start-marker
boot system flash disk0:c7200-ik9s-mz.123-4.T7.bin
boot-end-marker
!
enable secret 5
enable password
!
clock timezone CST -6
syscon address 10.7.0.1
syscon shelf-id 0
no aaa new-model
ip subnet-zero
!
!
ip cef
!
!
ip ssh break-string
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 5
!
crypto isakmp policy 6
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key secret address P.P.P.P
crypto isakmp key secret2 address P2.P2.P2.P2
!
!
crypto ipsec transform-set ts_peer esp-3des esp-md5-hmac
crypto ipsec transform-set peer2 esp-3des esp-sha-hmac
!
crypto map nolan local-address Serial1/0
crypto map nolan 10 ipsec-isakmp
set peer P.P.P.P
set transform-set ts_peer
set pfs group2
match address 101
crypto map nolan 15 ipsec-isakmp
set peer P.P.P.P
set transform-set ts_peer
set pfs group2
match address 102
crypto map nolan 20 ipsec-isakmp
set peer P2.P2.P2.P2
set transform-set peer2
match address 111
!
!
!
!
!
interface FastEthernet0/0
ip address 10.7.0.1 255.255.255.0
ip nat inside
no ip mroute-cache
duplex full
no cdp enable
!
interface Serial1/0
ip address ME.ME.ME.ME 255.255.255.252
ip nat outside
no ip route-cache
dsu bandwidth 44210
framing c-bit
cablelength 10
serial restart-delay 0
crypto map nolan
!
interface FastEthernet2/0
ip address 10.2.2.66 255.255.255.224
ip nat inside
no ip route-cache
no ip mroute-cache
duplex full
no cdp enable
!
ip nat inside source route-map nonat interface Serial1/0 overload
ip nat inside source static 10.2.2.70 X.X.X.X extendable
ip nat inside source static 10.7.0.2 X.X.X.X extendable
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 10.6.0.0 255.255.0.0 10.2.2.65
ip route 10.8.0.0 255.255.0.0 10.2.2.65
ip http server
no ip http secure-server
!
!
!
logging trap debugging
logging facility local5
logging X.X.X.X
logging X.X.X.X
access-list 5 permit X.X.X.X
access-list 5 permit X.X.X.X
access-list 100 deny ip host 10.2.2.65 host 10.10.0.97
access-list 100 deny ip 10.6.0.0 0.0.255.255 host 10.10.0.97
access-list 100 deny ip 10.8.0.0 0.0.255.255 host P2.P2.P2.P2
access-list 100 deny ip host 10.2.2.65 host P2.P2.P2.P2
access-list 100 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip host 10.2.2.65 host 10.10.0.97
access-list 102 permit ip 10.6.0.0 0.0.255.255 host 10.10.0.97
access-list 111 permit ip host 10.2.2.65 host P2.P2.P2.P2
access-list 111 permit ip 10.8.0.0 0.0.255.255 host P2.P2.P2.P2
access-list 111 permit ip host 10.2.2.65 host P2.P2.P2.P2
!
route-map nonat permit 10
match ip address 100
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
stopbits 1
line vty 0 4
password
login
transport preferred all
transport input all
transport output all
line vty 5 15
password
login
transport preferred all
transport input all
transport output all
!
ntp clock-period 17180052
ntp update-calendar
ntp server X.X.X.X
ntp server X.X.X.X
ntp server X.X.X.X
ntp server X.X.X.X
ntp server X.X.X.X
!
!
end
Cisco#
02-27-2009 10:36 AM
Why do you have two separate crypto map entries for the same peer? Why not just aggregate them into one ACL, and remove sequence 15.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide