Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec output interpretation (pkts no sa)

Does "pkts no sa (send)" mean that SA's are timing out too quickly? How can I mitigate this problem?

Router#sh crypto ipsec sa detail

interface: GigabitEthernet0/0

Crypto map tag: lajesvpn, local addr 208.4.63.99

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.62.61/255.255.255.255/47/0)

remote ident (addr/mask/prot/port): (192.168.62.60/255.255.255.255/47/0)

current_peer 132.30.100.20 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 11924940, #pkts encrypt: 11924940, #pkts digest: 11924940

#pkts decaps: 11268741, #pkts decrypt: 11268741, #pkts verify: 11268741

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#pkts no sa (send) 31986, #pkts invalid sa (rcv) 0 <==

#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0

#pkts invalid prot (recv) 0, #pkts verify failed: 0

#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0

#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0

##pkts replay failed (rcv): 0

#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: 208.4.63.99, remote crypto endpt.: 132.30.100.20

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0

current outbound spi: 0xF7E734A3(4159124643)

inbound esp sas:

spi: 0x535C185(87409029)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3010, flow_id: Onboard VPN:10, crypto map: lajesvpn

sa timing: remaining key lifetime (k/sec): (4376668/1083)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xF7E734A3(4159124643)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel, }

conn id: 3021, flow_id: Onboard VPN:21, crypto map: lajesvpn

sa timing: remaining key lifetime (k/sec): (4373069/1083)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

9 REPLIES
Silver

Re: IPSec output interpretation (pkts no sa)

Use the following two commands and reinitiate the connection.

clear crypto isakmp-Clears the Phase 1 security associations.

clear crypto sa-Clears the Phase 2 security associations

New Member

Re: IPSec output interpretation (pkts no sa)

Interestingly, the IPSec tunnel went down by itself and came back up. The statement in question no longer appears in the "sh crypto ipsec sa" command.

New Member

Re: IPSec output interpretation (pkts no sa)

Do you know what was the cause of this message?

New Member

Re: IPSec output interpretation (pkts no sa)

we have a had the same issues since deploying a new code. ( 12.4-19.18T6) where GRE IPsec restarts tunnels after a random time period. Generating a lot of the no SA send messages.

Did you manage to get a response or fix ?

New Member

Re: IPSec output interpretation (pkts no sa)

No, I did not get further response or fix on this issue. However, I use 12.4(17a) on the IPSec hub router and have a separate hub for GRE tunnels. I also experience the same problem where GRE tunnels restart after a random period due to EIGRP hello expired. I am currently looking into applying IP MTU and IP TCP MSS-Adjust on the Tunnel interface. I will monitor the results.

New Member

Re: IPSec output interpretation (pkts no sa)

have a look at bug ID CSCsm93047 that might explain it.

New Member

Re: IPSec output interpretation (pkts no sa)

Currently, I have hub-and-spoke setup for both IPSec VPN and GRE Tunnel. I am not certain if this bug applies to my current setup. However, I will definitely keep this in mind when I migrate to DMVPN setup.

New Member

Re: IPSec output interpretation (pkts no sa)

yeah only applies if your using tunnel protection on your GRE i think.

New Member

Re: IPSec output interpretation (pkts no sa)

Correct.

1897
Views
8
Helpful
9
Replies