Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Crypto IPSec SA output

Hi,

I have a lab setup in GNS3 using two ASAs for site to site VPN. Phase 1 and phase 2 establish fine, however the output shows a high number of packets that are not being compressed, which is identical on both ASAs. See below:

site2-fw1# sho cry ipsec sa

interface: outside

    Crypto map tag: VPNMAP, seq num: 1, local addr: x.x.x.x

      access-list CRYPTO-to-SITE1 extended permit ip 172.16.50.0 255.255.255.0 172.16.5.0 255.255.255.0

      local ident (addr/mask/prot/port): (172.16.50.0/255.255.255.0/0/0)

      remote ident (addr/mask/prot/port): (172.16.5.0/255.255.255.0/0/0)

      current_peer: x.x.x.x

      #pkts encaps: 97, #pkts encrypt: 97, #pkts digest: 97

      #pkts decaps: 97, #pkts decrypt: 97, #pkts verify: 97

      #pkts compressed: 0, #pkts decompressed: 0

      #pkts not compressed: 97, #pkts comp failed: 0, #pkts decomp failed: 0

      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

      #send errors: 0, #recv errors: 0

      local crypto endpt.: x.x.x.x/0, remote crypto endpt.: x.x.x.x/0

      path mtu 1500, ipsec overhead 74, media mtu 1500

      current outbound spi: 86CE5CB6

      current inbound spi : CEE35649

    inbound esp sas:

      spi: 0xCEE35649 (3471005257)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 8192, crypto-map: VPNMAP

         sa timing: remaining key lifetime (kB/sec): (4373990/28656)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0xFFFFFFFF 0xFFFFFFFF

    outbound esp sas:

      spi: 0x86CE5CB6 (2261671094)

         transform: esp-aes esp-sha-hmac no compression

         in use settings ={L2L, Tunnel, PFS Group 2, }

         slot: 0, conn_id: 8192, crypto-map: VPNMAP

         sa timing: remaining key lifetime (kB/sec): (4373990/28656)

         IV size: 16 bytes

         replay detection support: Y

         Anti replay bitmap:

          0x00000000 0x00000001

I have not seen this behavious before and not sure whether it is a bad thing.

Can someone please explain what this means?

Thanks,

Ash

2 REPLIES
VIP Green

Crypto IPSec SA output

It means that packets are not being sent over the VPN.  Could be a number of things causing this (routing, crypto access-list, NAT) , but considering it is set up in GNS3 I will put my money on that it a virtualization issue.  Have you tried to recreate the configuration from scratch?  If yes, then considering phase1 and 2 complete successfully, make sure that the crypto ACLs and NAT statements are correct.

--

Please remember to rate and select a correct answer
Super Bronze

Re: Crypto IPSec SA output

Hi,

EDIT: Gah, was looking at the wrong counters. There the third counter that mentions "pkts no compressed".

To me the output seems that you might be testing with ICMP and every single packet has had a reply since the encapsulation/decapsulation counters match eachother.

     #pkts encaps: 97, #pkts encrypt: 97, #pkts digest: 97

      #pkts decaps: 97, #pkts decrypt: 97, #pkts verify: 97

So since we can see packets on both directions then it would seem that the actual VPN connection is forwarding traffic in both directions between the specified networks.

To my undertanding you wont see any statistics for compression unless you specifically configure it for the VPN. I have not seen this in use anywhere myself nor have I configured it ever.

- Jouni

199
Views
0
Helpful
2
Replies
CreatePlease to create content