Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Two SA's showing for single gre over ipsec tunnel

I have a GRE over IPSec tunnel between two locations.  Here is the following output I have a question about:

router1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
a.a.a.a    b.b.b.b     QM_IDLE           1001 ACTIVE
b.b.b.b   a.a.a.a      QM_IDLE           1002 ACTIVE

router1#sh crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: b.b.b.b port 500
  IKEv1 SA: local a.a.a.a/500 remote b.b.b.b/500 Active
  IKEv1 SA: local a.a.a.a/500 remote b.b.b.b/500 Active
  IPSEC FLOW: permit 47 host a.a.a.a host b.b.b.b

  Active SAs: 6, origin: crypto map

On another ipsec site-to-site vpn, I am showing one conn-id.  Why are there two here?  Also, why are there 6's SA's?

Thanks for helping me understand this

1 REPLY
Hall of Fame Super Silver

Two SA's showing for single gre over ipsec tunnel

John

We do not have enough information here to be able to accurately diagnose the problem. Your description suggests that perhaps your router opens a session to the peer and the peer opens its own session to you rather than sending back over your session. Can you confirm that the configuration of both peers are mirror images of each other as far as the crypto is concerned? Perhaps you can post the configuration of this router as a starting point for us to try to find the problem?

HTH

Rick

184
Views
0
Helpful
1
Replies