Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

L2L VPN router-ASA errors


HI ALL,

Kindly advice the below error getting the crypto enabled interface .

#send errors 0, #recv errors 117--------------remote side error

VPNB#sh crypto ipsec sa peer x.x.x.x

interface: GigabitEthernet0/1

   current_peer x.x.x.x port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 117

     local crypto endpt.: 194.170.10.85, remote crypto endpt.: 86.62.248.148

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1

     current outbound spi: 0x45BFBAD2(1170193106)

     inbound esp sas:

      spi: 0x27758DC1(662015425)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2035, flow_id: AIM-VPN/HPII-PLUS:35, crypto map: outside_map

        sa timing: remaining key lifetime (k/sec): (4437487/3465)

              HA KB life last checkpointed at (k): (4437488)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x45BFBAD2(1170193106)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2055, flow_id: AIM-VPN/HPII-PLUS:55, crypto map: outside_map

        sa timing: remaining key lifetime (k/sec): (4437488/3458)

              HA KB life last checkpointed at (k): (4437488)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

1 REPLY
Cisco Employee

Re: L2L VPN router-ASA errors

check phase 2 settings,

specially that proxy id's (crypto map --> match address xxx) are a perfect mirror

the same pfs group is being used (if any is used)

you are not overlapping interesting traffic with any other tunnel

you could also enable debug cry isa 200, debug cry ips 200 on the asa, have the router initiate the traffic and post that log

948
Views
0
Helpful
1
Replies
CreatePlease to create content