Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
371
Views
0
Helpful
5
Replies

show_crypto_ipsec peer output

Go to solution
mahesh18
Level 6
Level 6

‎02-20-2016 09:13 AM - edited ‎03-12-2019 12:21 AM

Hi Everyone,

I have setup L2L tunnel to vendor site and it is working fine as per below output


show crypto ipsec sa peer 173.183.x.x
peer address: 173.183.x.x
    Crypto map tag: Outside_map0, seq num: 13, local addr: 192.42.x.x*****************************************1

      access-list Outside_cryptomap_14 extended permit ip any 192.168.88.0 255.255.255.0
      local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (Vendor_ipsec/255.255.255.0/0/0)
      current_peer: 173.183.x.x


      #pkts encaps: 1561, #pkts encrypt: 1561, #pkts digest: 1561
      #pkts decaps: 628, #pkts decrypt: 628, #pkts verify: 628
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1561, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.42.x.x/0, remote crypto endpt.: 173.183.x.x/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
<--- More --->
              
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 08D17732
      current inbound spi : 963794A9

    inbound esp sas:
      spi: 0x963794A9 (2520224937)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3969024, crypto-map: Outside_map0
         sa timing: remaining key lifetime (kB/sec): (4373981/17700)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x08D17732 (147945266)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3969024, crypto-map: Outside_map0
<--- More --->
              
         sa timing: remaining key lifetime (kB/sec): (4373987/17700)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

    Crypto map tag: Outside_map0, seq num: 13, local addr: 192.42.x.x******************************************2

      access-list Outside_cryptomap_14 extended permit ip any 192.168.88.0 255.255.255.0
      local ident (addr/mask/prot/port): (141.16.0.0/255.255.0.0/0/0)
      remote ident (addr/mask/prot/port): (Vendor_ipsec/255.255.255.0/0/0)
      current_peer: 173.183.x.x


      #pkts encaps: 2116, #pkts encrypt: 2116, #pkts digest: 2116
      #pkts decaps: 2116, #pkts decrypt: 2116, #pkts verify: 2116
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 2116, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
<--- More --->
              
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 192.42.x.x/0, remote crypto endpt.: 173.183.x.x/0
      path mtu 1500, ipsec overhead 58(36), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 0F2B44D5
      current inbound spi : C6D4F3FA

    inbound esp sas:
      spi: 0xC6D4F3FA (3335844858)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3969024, crypto-map: Outside_map0
         sa timing: remaining key lifetime (kB/sec): (4373940/16999)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
<--- More --->
              
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x0F2B44D5 (254493909)
         transform: esp-3des esp-sha-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 3969024, crypto-map: Outside_map0
         sa timing: remaining key lifetime (kB/sec): (4373940/16998)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
-vpn-asa#I

Seems it is passing traffic only thing i need to understand is why i have output from lines 1 and 2 repeated showing differnt local ident address?

Does it mean that tunnel is established with remote peer with two local subnets that is 10..x.x.x  and 141.16.x.x?

Regards

Mahesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎02-20-2016 12:58 PM

Does it mean that tunnel is established with remote peer with two local subnets that is 10..x.x.x  and 141.16.x.x?

That is correct, you can check this by viewing the crypto ACL configuration defined Outside_map0 sequence 13.  You should see entries for both subnets there.

--

Please remember to select a correct answer and rate helpful posts.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

‎02-21-2016 12:35 PM

i check the acl it shows source as any does it mean that any local lan subnet can form the tunnel with same remote IP address?

Yes.  Any local subnet can potentially form the tunnel.  Do you know what the crypto ACL at the remote site is configured to be?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Marius Gunnerud
VIP
VIP

‎02-20-2016 12:58 PM

Does it mean that tunnel is established with remote peer with two local subnets that is 10..x.x.x  and 141.16.x.x?

That is correct, you can check this by viewing the crypto ACL configuration defined Outside_map0 sequence 13.  You should see entries for both subnets there.

--

Please remember to select a correct answer and rate helpful posts.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎02-20-2016 05:47 PM

i check the acl it shows source as any does it mean that any local lan subnet can form the tunnel with same remote IP address?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

‎02-21-2016 12:35 PM

i check the acl it shows source as any does it mean that any local lan subnet can form the tunnel with same remote IP address?

Yes.  Any local subnet can potentially form the tunnel.  Do you know what the crypto ACL at the remote site is configured to be?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marius Gunnerud

‎02-21-2016 12:40 PM

I do not know exactly at other site.

But I am getting better understanding by your answers.

Regards

MAhesh

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to mahesh18

‎02-21-2016 12:43 PM

Good stuff!  let me know if you need more help.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card