topic 2 IPSEC Flows same network?!? in Network Security

2 IPSEC Flows same network?!?

Flexxx35802 — Fri, 21 Feb 2020 11:17:55 GMT

Ok I can only think that my peer is using some sort of load balancing or something. But basically if you notice the info below for some reason there are 2 IPSEC flow's for each network. The data session dies when 1 of the IPsec flows timer expires until the other IPsec flow timer expires. After renegotiation Im good for about 57 minutes until the process repeats itself. Any suggestions is greatly appreciated. This is on a 7206 btw.

Peer: P.P.P.P/500 fvrf: (none) ivrf: (none)

Phase1_id: P.P.P.P

Desc: (none)

IKE SA: local ME.ME.ME.ME/500 remote P.P.P.P/500 Active

Capabilities:(none) connid:35 lifetime:19:08:44

IKE SA: local ME.ME.ME.ME/500 remote P.P.P.P/500 Active

Capabilities:(none) connid:36 lifetime:19:08:44

IPSEC FLOW: permit ip 10.6.0.0/255.255.0.0 host 10.10.0.97

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 7149 drop 0 life (KB/Sec) 4511491/3284

Outbound: #pkts enc'ed 8415 drop 1 life (KB/Sec) 4512254/3284

IPSEC FLOW: permit ip 10.6.0.0/255.255.0.0 host 10.10.0.97

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 0 drop 222 life (KB/Sec) 4534552/3104

Outbound: #pkts enc'ed 222 drop 0 life (KB/Sec) 4534662/3104

IPSEC FLOW: permit ip host 10.2.2.65 host 10.10.0.97

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 1253 drop 0 life (KB/Sec) 4390063/3254

Outbound: #pkts enc'ed 1023 drop 2 life (KB/Sec) 4390036/3254

IPSEC FLOW: permit ip host 10.2.2.65 host 10.10.0.97

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 0 drop 143 life (KB/Sec) 4428727/3103

Outbound: #pkts enc'ed 143 drop 0 life (KB/Sec) 4428744/3103

Re: 2 IPSEC Flows same network?!?

Flexxx35802 — Tue, 17 Feb 2009 18:45:14 GMT

Here is the config too.

sh run

Building configuration...

Current configuration : 3729 bytes

! Last configuration change at 15:45:05 CST Thu Feb 12 2009

! NVRAM config last updated at 11:31:25 CST Thu Feb 12 2009

version 12.3

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

hostname cisco

boot-start-marker

boot system flash disk0:c7200-ik9s-mz.123-4.T7.bin

boot-end-marker

enable secret 5

enable password

clock timezone CST -6

syscon address 10.7.0.1

syscon shelf-id 0

no aaa new-model

ip subnet-zero

ip cef

ip ssh break-string

crypto isakmp policy 5

encr 3des

hash md5

authentication pre-share

group 5

crypto isakmp policy 6

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp key secret address P.P.P.P

crypto isakmp key secret2 address P2.P2.P2.P2

crypto ipsec transform-set ts_peer esp-3des esp-md5-hmac

crypto ipsec transform-set peer2 esp-3des esp-sha-hmac

crypto map nolan local-address Serial1/0

crypto map nolan 10 ipsec-isakmp

set peer P.P.P.P

set transform-set ts_peer

set pfs group2

match address 101

crypto map nolan 15 ipsec-isakmp

set peer P.P.P.P

set transform-set ts_peer

set pfs group2

match address 102

crypto map nolan 20 ipsec-isakmp

set peer P2.P2.P2.P2

set transform-set peer2

match address 111

interface FastEthernet0/0

ip address 10.7.0.1 255.255.255.0

ip nat inside

no ip mroute-cache

duplex full

no cdp enable

interface Serial1/0

ip address ME.ME.ME.ME 255.255.255.252

ip nat outside

no ip route-cache

dsu bandwidth 44210

framing c-bit

cablelength 10

serial restart-delay 0

crypto map nolan

interface FastEthernet2/0

ip address 10.2.2.66 255.255.255.224

ip nat inside

no ip route-cache

no ip mroute-cache

duplex full

no cdp enable

ip nat inside source route-map nonat interface Serial1/0 overload

ip nat inside source static 10.2.2.70 X.X.X.X extendable

ip nat inside source static 10.7.0.2 X.X.X.X extendable

ip classless

ip route profile

ip route 0.0.0.0 0.0.0.0 Serial1/0

ip route 10.6.0.0 255.255.0.0 10.2.2.65

ip route 10.8.0.0 255.255.0.0 10.2.2.65

ip http server

no ip http secure-server

logging trap debugging

logging facility local5

logging X.X.X.X

access-list 5 permit X.X.X.X

access-list 100 deny ip host 10.2.2.65 host 10.10.0.97

access-list 100 deny ip 10.6.0.0 0.0.255.255 host 10.10.0.97

access-list 100 deny ip 10.8.0.0 0.0.255.255 host P2.P2.P2.P2

access-list 100 deny ip host 10.2.2.65 host P2.P2.P2.P2

access-list 100 permit ip 10.0.0.0 0.255.255.255 any

access-list 101 permit ip host 10.2.2.65 host 10.10.0.97

access-list 102 permit ip 10.6.0.0 0.0.255.255 host 10.10.0.97

access-list 111 permit ip host 10.2.2.65 host P2.P2.P2.P2

access-list 111 permit ip 10.8.0.0 0.0.255.255 host P2.P2.P2.P2

access-list 111 permit ip host 10.2.2.65 host P2.P2.P2.P2

route-map nonat permit 10

match ip address 100

control-plane

gatekeeper

shutdown

line con 0

transport preferred all

transport output all

stopbits 1

line aux 0

transport preferred all

transport output all

stopbits 1

line vty 0 4

password

transport preferred all

transport input all

transport output all

line vty 5 15

password

transport preferred all

transport input all

transport output all

ntp clock-period 17180052

ntp update-calendar

ntp server X.X.X.X

end

Cisco#

Re: 2 IPSEC Flows same network?!?

auraza — Fri, 27 Feb 2009 18:36:18 GMT

Why do you have two separate crypto map entries for the same peer? Why not just aggregate them into one ACL, and remove sequence 15.