Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site to Site VPN SA's question

Hi everyone,

I configured a basic site to site VPN with two ios routers, one 2620 and on 860.

When I type show crypto isakmp sa on the spoke router (y.y.y.y) I see one SA with destination x.x.x.x and source y.y.y.y which is ok. Spoke router always show one SA only.

When I type show crypto isakmp sa in the hub router (x.x.x.x) I see two SAs:

One has destination y.y.y.y and source x.x.x.x which is what I would expect.

However, there is also a second SA  with destination x.x.x.x and source y.y.y.y (opposite of the first one), as if the hub router is making a second SA into itself??

Is this normal? or is it some kind of configuration error?

Thanks,

Rick

5 REPLIES
New Member

Site to Site VPN SA's question

What is the show crypto ipsec showing? Can you see regular networks as a source and destination for the static tunnel and maybe an SA showing 0.0.0.0 0.0.0.0 that could tell us a dynamic connection.......

New Member

Site to Site VPN SA's question

Hi Andres,

Today I ran the show crypto ipsec sa and show crypto isakmp sa commands again in the hub router. They both show just one connection now. Output of show crypto ipsec sa is the following:


interface: Vlan1
    Crypto map tag: clientmap, local addr. x.x.x.x

   local  ident (addr/mask/prot/port): (10.1.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
   current_peer: y.y.y.y
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 163147, #pkts encrypt: 163147, #pkts digest 163147
    #pkts decaps: 78911, #pkts decrypt: 78911, #pkts verify 78911
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 19, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: y.y.y.y
     path mtu 1500, media mtu 1500
     current outbound spi: 28375024

     inbound esp sas:
      spi: 0x609D605(101307909)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 420, flow_id: 1, crypto map: clientmap
        sa timing: remaining key lifetime (k/sec): (4607997/86303)
        IV size: 8 bytes
        replay detection support: Y

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x28375024(674713636)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 421, flow_id: 2, crypto map: clientmap
        sa timing: remaining key lifetime (k/sec): (4607997/86300)
        IV size: 8 bytes
        replay detection support: Y

     outbound ah sas:

     outbound pcp sas:

I don't know if this is an intermitent problem. I will check regularly and let you know.

Thanks,

Rick

New Member

Re: Site to Site VPN SA's question

Hello, maybe the SA got stuck, have you trying clearing it? Looks a cosmetic situation, btw what is the software version that you are running?

New Member

Re: Site to Site VPN SA's question

Yes probably the SAs got stuck somehow. I tried clearing the SAs but they were still there. I rebooted the hub router and for the first few minutes only 1 SA showed up. After a while the second strange SA showed up again.

Today the strange SA is gone and hasnt showed up.

What I am seeing regularly is that after disconecting the VPN, the 2620 keeps showing an active SA for a long while. This is not the case with the 861W, which immediately deletes and recognizes any expired SA.

In the hub 2620 I am running 12.2(8)T. In the spoke 861W I am running 15.0(1)M7.

Thanks,

Rick

New Member

Re: Site to Site VPN SA's question

Hi Andres,

I think i solved the problem.

Today I ran the show crypto isakmp sa on the hub and got two SAs again as follows:

dst             src             state           conn-id    slot

x.x.x.x    y.y.y.y       QM_IDLE             145       0

y.y.y.y     x.x.x.x      QM_IDLE             144       0

x.x.x.x is the hub and y.y.y.y is the spoke

However in the spoke the same command showed only one SA:

dst                          src             state          conn-id     status

x.x.x.x                   y.y.y.y       QM_IDLE           2143 ACTIVE

Show crypto ipsec sa on both hub and spoke showed only one SA.

I noticed that I was only able to ping the spoke's lan from the hub sporadically, that is when the spoke initiated a vpn to the hub. After that SA was deleted, the hub would not initiate a VPN to the spoke.

The phantom SA was still up, but no traffic was going through.

After disabling the firewall acces list in the hub, the second "phantom" SA was immediately deleted and traffic flowed normally. I added a hole to the firewall access list permitting all traffic from y.y.y.y and now everything seems to be working fine.

There is no more phantom SA showing in the hub, and everytime the SA is brought down by the spoke, the hub recognizes it immediately.

In the hub's firewall i was allowing isakmp and esp from any source. I didn't know i had to allow the public address of the spoke as well as it seems some notifications or control strings are sent via the public network.

Thanks a lot for your input.

Rick

482
Views
0
Helpful
5
Replies
CreatePlease to create content