show_crypto_ipsec peer output

mahesh18 — Tue, 12 Mar 2019 07:21:58 GMT

Hi Everyone,

I have setup L2L tunnel to vendor site and it is working fine as per below output

show crypto ipsec sa peer 173.183.x.x
peer address: 173.183.x.x
    Crypto map tag: Outside_map0, seq num: 13, local addr: 192.42.x.x*****************************************1

      access-list Outside_cryptomap_14 extended permit ip any 192.168.88.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (Vendor_ipsec/255.255.255.0/0/0)
      current_peer: 173.183.x.x

      #pkts encaps: 1561, #pkts encrypt: 1561, #pkts digest: 1561
      #pkts decaps: 628, #pkts decrypt: 628, #pkts verify: 628
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1561, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.42.x.x/0, remote crypto endpt.: 173.183.x.x/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
<--- More --->

      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 08D17732
      current inbound spi : 963794A9

    inbound esp sas:
      spi: 0x963794A9 (2520224937)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3969024, crypto-map: Outside_map0
         sa timing: remaining key lifetime (kB/sec): (4373981/17700)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x08D17732 (147945266)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3969024, crypto-map: Outside_map0
<--- More --->

         sa timing: remaining key lifetime (kB/sec): (4373987/17700)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: Outside_map0, seq num: 13, local addr: 192.42.x.x******************************************2

      access-list Outside_cryptomap_14 extended permit ip any 192.168.88.0 255.255.255.0
      local ident (addr/mask/prot/port): (141.16.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (Vendor_ipsec/255.255.255.0/0/0)
      current_peer: 173.183.x.x

      #pkts encaps: 2116, #pkts encrypt: 2116, #pkts digest: 2116
      #pkts decaps: 2116, #pkts decrypt: 2116, #pkts verify: 2116
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2116, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
<--- More --->

      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.42.x.x/0, remote crypto endpt.: 173.183.x.x/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 0F2B44D5
      current inbound spi : C6D4F3FA

    inbound esp sas:
      spi: 0xC6D4F3FA (3335844858)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3969024, crypto-map: Outside_map0
         sa timing: remaining key lifetime (kB/sec): (4373940/16999)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
<--- More --->

          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x0F2B44D5 (254493909)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3969024, crypto-map: Outside_map0
         sa timing: remaining key lifetime (kB/sec): (4373940/16998)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
-vpn-asa#I

Seems it is passing traffic only thing i need to understand is why i have output from lines 1 and 2 repeated showing differnt local ident address?

Does it mean that tunnel is established with remote peer with two local subnets that is 10..x.x.x and 141.16.x.x?

Regards

Mahesh

Does it mean that tunnel is

Marius Gunnerud — Sat, 20 Feb 2016 20:58:13 GMT

Does it mean that tunnel is established with remote peer with two local subnets that is 10..x.x.x and 141.16.x.x?

That is correct, you can check this by viewing the crypto ACL configuration defined Outside_map0 sequence 13. You should see entries for both subnets there.

Please remember to select a correct answer and rate helpful posts.

Many thanks Marius.

mahesh18 — Sun, 21 Feb 2016 01:47:02 GMT

i check the acl it shows source as any does it mean that any local lan subnet can form the tunnel with same remote IP address?

i check the acl it shows

Marius Gunnerud — Sun, 21 Feb 2016 20:35:38 GMT

i check the acl it shows source as any does it mean that any local lan subnet can form the tunnel with same remote IP address?

Yes. Any local subnet can potentially form the tunnel. Do you know what the crypto ACL at the remote site is configured to be?

Please remember to select a correct answer and rate helpful posts

I do not know exactly at

mahesh18 — Sun, 21 Feb 2016 20:40:04 GMT

I do not know exactly at other site.

But I am getting better understanding by your answers.

Regards

MAhesh

Good stuff! let me know if

Marius Gunnerud — Sun, 21 Feb 2016 20:43:10 GMT