Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

sh cry ip sa output - why stale IP's?

All,

We have oodles of stale IP's shown when we run a "sh cry ip sa" on our ASR1006. Can someone tell me how long it takes for the system to flush these? See examples below.

A GOOD sh cry ip sa on the ASR will show an active peer with encrypts and decrypts, see below:

protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.21.204/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (2.0.13.80/255.255.255.255/47/0)

   current_peer 76.10.121.240 port 500

     PERMIT, flags={}

    #pkts encaps: 56213, #pkts encrypt: 56213, #pkts digest: 56213

    #pkts decaps: 83957, #pkts decrypt: 83957, #pkts verify: 83957

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 162.94.228.170, remote crypto endpt.: 76.10.121.240

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

     current outbound spi: 0xFE81651D(4269892893)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x4AA2232C(1252139820)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 8446, flow_id: :6446, sibling_flags 80000040, crypto map: TAC

        sa timing: remaining key lifetime (k/sec): (4583589/1996)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xFE81651D(4269892893)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 8447, flow_id: :6447, sibling_flags 80000040, crypto map: TAC

        sa timing: remaining key lifetime (k/sec): (4583657/1996)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

But a bunch of stale ip's are also seen (see below) when running the same command and they are no longer a valid IP's for a spoke. (spoke might have been up on dial backup or the IP has changed (dhcp or pppoe)) Is this indicative of a site bouncing up and down because of broadband?

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.21.204/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (2.0.12.81/255.255.255.255/47/0)

   current_peer 68.15.147.214 port 500

     PERMIT, flags={}

    #pkts encaps: 563085, #pkts encrypt: 563085, #pkts digest: 563085

    #pkts decaps: 591845, #pkts decrypt: 591845, #pkts verify: 591845

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 162.94.228.170, remote crypto endpt.: 66.234.179.129

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 162.94.228.170, remote crypto endpt.: 66.234.179.154

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 162.94.228.170, remote crypto endpt.: 66.234.179.16

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 162.94.228.170, remote crypto endpt.: 206.80.242.210

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 162.94.228.170, remote crypto endpt.: 66.234.179.42

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 162.94.228.170, remote crypto endpt.: 66.234.179.64

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 162.94.228.170, remote crypto endpt.: 66.234.179.86

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 162.94.228.170, remote crypto endpt.: 66.234.179.11

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 162.94.228.170, remote crypto endpt.: 66.234.179.95

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

     current outbound spi: 0x0(0)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

     local crypto endpt.: 162.94.228.170, remote crypto endpt.: 68.15.147.214

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/0

     current outbound spi: 0x4D96247B(1301685371)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0xD0FADB9C(3506101148)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 8526, flow_id: :6526, sibling_flags 80000040, crypto map: TAC

        sa timing: remaining key lifetime (k/sec): (4558981/2043)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x4D96247B(1301685371)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 8527, flow_id: :6527, sibling_flags 80000040, crypto map: TAC

        sa timing: remaining key lifetime (k/sec): (4559025/2043)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

478
Views
0
Helpful
0
Replies
CreatePlease to create content