Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 & ASA 5505 VPN

I have an ASA 5510 in HQ (Version 8.0(3)) and an ASA 5505 (Version 8.3(1)) at remote end.  I am utilizing easy vpn.  The vpn works great, but when the VPN is connected the 5510 shows 17 IPSEC connections for this one device.  I look at the 5505, and it is saying 1.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: ASA 5510 & ASA 5505 VPN

Yes, it will create SAs for every subnet you have, one SA pairing with the remote subnet of ASA 5505, and one SA pairing with the peer ip of the remote ASA 5505.

It creates the extra SA pair with the peer ip address of the remote ASA for easy vpn (it's normal in easy vpn). If you configure LAN-to-LAN between the 2 ASAs, it will just be half the number of SAs as there won't be SA created for the peer ip address like in easy vpn tunnel.

Here is the SAs pairing created:

local ident (addr/mask/prot/port): (64.196.6.165/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (172.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (172.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.71.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.71.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (172.30.80.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.80.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (172.30.81.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (172.30.81.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.88.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.88.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

8 REPLIES

Re: ASA 5510 & ASA 5505 VPN

Hi,

I've seen this before with EzVPN (seems to be very persistent).

If you clear the tunnel and bring it iup again, you see the same behavior?

If that's so, can you post both configs?

Federico.

Cisco Employee

Re: ASA 5510 & ASA 5505 VPN

Is the HQ ASA terminating multiple easyvpn connections? Also, do you have any remote access vpn client terminating on the HQ ASA as well? if they are, then it will be showing multiple IKE/IPSec.

New Member

Re: ASA 5510 & ASA 5505 VPN

Currently the HQ is only terminating one easyvpn connection (will be more once I get this figured out).

I do have multiple clients terminating to the VPN.

What I want to make clear is the easyvpn connection will make 1 IKE tunnel and 17 IPSEC tunnels, when I pull the plug on the unit, you can see it drop back to a 1-1 on the HQ for the vpn clients.

See attached.

Cisco Employee

Re: ASA 5510 & ASA 5505 VPN

Please share the output of "show crypto ipsec sa peer " on the HQ ASA5510.

New Member

Re: ASA 5510 & ASA 5505 VPN

This is the crypto from the 5510 for the 5505

asa# sh crypto ipsec sa peer 64.196.6.180

peer address: 64.196.6.180

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (64.196.6.165/255.255.255.255/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 31B990D0

    inbound esp sas:

      spi: 0x7CD49785 (2094307205)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

          slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28631

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x31B990D0 (834244816)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28631

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.20.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

       #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 5724A440

    inbound esp sas:

      spi: 0x23C29273 (599954035)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28632

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x5724A440 (1462019136)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28632

         IV size: 16 bytes

          replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.20.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 7319F5DD

    inbound esp sas:

      spi: 0xD7E38EE9 (3622014697)

          transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28629

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x7319F5DD (1931081181)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28629

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.30.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

       #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 05C48316

    inbound esp sas:

      spi: 0xF51CFD49 (4112317769)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28628

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x05C48316 (96764694)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

          sa timing: remaining key lifetime (sec): 28628

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.30.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: B3FDC508

              

     inbound esp sas:

      spi: 0x1D3C2C54 (490482772)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28626

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xB3FDC508 (3019752712)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28626

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

              

       #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 130D6E8E

    inbound esp sas:

      spi: 0x68DFF375 (1759507317)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28625

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x130D6E8E (319647374)

         transform: esp-aes esp-sha-hmac none

          in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28623

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

       current outbound spi: C0A94DAC

    inbound esp sas:

      spi: 0x673C5702 (1732007682)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28622

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xC0A94DAC (3232320940)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28622

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.71.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

       dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 2D783439

    inbound esp sas:

      spi: 0xD499DFD9 (3566854105)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28621

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

       spi: 0x2D783439 (762852409)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28620

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.71.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: BCD61AC9

    inbound esp sas:

      spi: 0x76D18AEA (1993444074)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28619

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xBCD61AC9 (3168148169)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28619

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.80.0/255.255.255.0/0/0)

       remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 4A4CD1CF

    inbound esp sas:

      spi: 0xCDBFC162 (3451896162)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28619

         IV size: 16 bytes

          replay detection support: Y

    outbound esp sas:

      spi: 0x4A4CD1CF (1246548431)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28618

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.80.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 3B4876DE

    inbound esp sas:

      spi: 0x88488E6A (2286456426)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28617

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x3B4876DE (994604766)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28617

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.81.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 04EBDD5F

    inbound esp sas:

      spi: 0xA5641A72 (2774801010)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

          sa timing: remaining key lifetime (sec): 28616

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x04EBDD5F (82566495)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28616

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.81.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

       #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 148326FE

    inbound esp sas:

      spi: 0x25F19BCA (636591050)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28615

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x148326FE (344139518)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28615

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.88.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: EF7D0BA1

    inbound esp sas:

      spi: 0x3C811E67 (1015094887)

         transform: esp-aes esp-sha-hmac none

          in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28613

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xEF7D0BA1 (4017949601)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28613

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (172.30.88.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

       #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 0221694F

    inbound esp sas:

      spi: 0x35D46FD9 (903114713)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28612

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x0221694F (35744079)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28612

          IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 27, #pkts encrypt: 27, #pkts digest: 27

      #pkts decaps: 31, #pkts decrypt: 31, #pkts verify: 31

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 27, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 412AC6F8

    inbound esp sas:

       spi: 0xE2254D63 (3794095459)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28610

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0x412AC6F8 (1093322488)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28610

         IV size: 16 bytes

         replay detection support: Y

    Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 64.196.6.165

      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

      current_peer: 64.196.6.180, username:

      dynamic allocated peer ip: 0.0.0.0

      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

       #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: 64.196.6.165, remote crypto endpt.: 64.196.6.180

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: DDE92DD6

    inbound esp sas:

      spi: 0xD67A60FC (3598344444)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

         slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28609

         IV size: 16 bytes

         replay detection support: Y

    outbound esp sas:

      spi: 0xDDE92DD6 (3723046358)

         transform: esp-aes esp-sha-hmac none

         in use settings ={RA, Tunnel, }

          slot: 0, conn_id: 2338816, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

         sa timing: remaining key lifetime (sec): 28608

         IV size: 16 bytes

         replay detection support: Y

asa#

Cisco Employee

Re: ASA 5510 & ASA 5505 VPN

Yes, it will create SAs for every subnet you have, one SA pairing with the remote subnet of ASA 5505, and one SA pairing with the peer ip of the remote ASA 5505.

It creates the extra SA pair with the peer ip address of the remote ASA for easy vpn (it's normal in easy vpn). If you configure LAN-to-LAN between the 2 ASAs, it will just be half the number of SAs as there won't be SA created for the peer ip address like in easy vpn tunnel.

Here is the SAs pairing created:

local ident (addr/mask/prot/port): (64.196.6.165/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.20.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (172.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (172.30.30.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (172.30.70.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.71.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.71.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (172.30.80.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.80.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (172.30.81.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (172.30.81.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.88.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

local ident (addr/mask/prot/port): (172.30.88.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.101.0/255.255.255.0/0/0)

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (64.196.6.180/255.255.255.255/0/0)

New Member

Re: ASA 5510 & ASA 5505 VPN

Thank you for the quick responses.

Additional questions:

     Does this utilize licenses as it shows up for multiple connections?

     Why is it different than the vpn client as it only shows up as a 1-1?

Thanks!

Cisco Employee

Re: ASA 5510 & ASA 5505 VPN

Unfortunately, it is just the behaviour of easy vpn, as it will show 1 SA for the LAN subnet, and another SA for the peer address.

No, it will not affect the license. IPSec license is based on the number of peers, not the number of SAs.

429
Views
0
Helpful
8
Replies
CreatePlease to create content