Ipsec Phase2 Alarm

alejandro.aguilar · ‎08-10-2020

Hello,

I got a reported alarm from the customer, so it looks like if phase 2 VPN (IPsec) has some issue, however when I validate the status of the IPsec it is active.

Alarm:

Último interno Alias de nodo Resumen

7/19/20, 1:47 PM (ASA_COL) IPsec Phase-2 Tunnel Inactive ( cipSecTunnelEntry.2470 )

7/20/20, 12:44 PM (ASA_COL) IPsec Phase-2 Tunnel Inactive ( cipSecTunnelEntry.2481 )

I have 2 questions:

1) what means this "cipSecTunnelEntry.2470" and why this number change ? -> 2481

I found this:

Name Sub children Sub Nodes Total Description

1.3.6.1.4.1.9.9.171.1.3.2.1

cipSecTunnelEntry

51

Each entry contains the attributes
associated with an active IPsec Phase-2 Tunnel.

2) Could this number (2470) be associated with this (Previous tunnels: 2703) in the output below:

ASAISP01VEN/unit-1-1/master# show crypto ipsec ?

df-bit Show IPsec DF policy
fragmentation Show IPsec fragmentation policy
policy Show IPSec SS-API security policies
sa Show IPsec SAs
stats Show IPsec global statistics
ASAISP01VEN/unit-1-1/master# show crypto ipsec stat
ASAISP01VEN/unit-1-1/master# show crypto ipsec stats

IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 2703
Inbound
Bytes: 3325152142
Decompressed bytes: 3325152142
Packets: 8463005
Dropped packets: 0
Replay failures: 0
Authentications: 8463005
Authentication failures: 0
Decryptions: 8463005
Decryption failures: 0
TFC Packets: 0
Decapsulated fragments needing reassembly: 0
Valid ICMP Errors rcvd: 0
Invalid ICMP Errors rcvd: 0
Outbound
Bytes: 12299683354
Uncompressed bytes: 12299683354
Packets: 200500390
Dropped packets: 28747
Authentications: 200500390
Authentication failures: 0
Encryptions: 200505036
Encryption failures: 0
TFC Packets: 0
Fragmentation successes: 0
Pre-fragmentation successses: 0
Post-fragmentation successes: 0
Fragmentation failures: 0
Pre-fragmentation failures: 0
Post-fragmentation failures: 0
Fragments created: 0
PMTUs sent: 0
PMTUs rcvd: 6
Protocol failures: 0
Missing SA failures: 28747
System capacity failures: 0
Inbound SA delete requests: 10052
Outbound SA delete requests: 0
Inbound SA destroy calls: 7533
Outbound SA destroy calls: 5053

----------------------------------------------------------------------------------

Aditional that is the crypto ipsec sa status:

ASAISP01VEN/unit-1-1/master# show crypto ipsec sa
interface: V
Crypto map tag: AAAAAA, seq num: 5, local addr: X.X.X.X

............

current_peer: X.X.X.X

#pkts encaps: 617353, #pkts encrypt: 617353, #pkts digest: 617353
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 617353, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 190.130.115.18/500, remote crypto endpt.: 35.196.195.145/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 6FBCCA0D
current inbound spi : EE397350

inbound esp sas:
spi: 0xEE397350 (3996742480)
SA State: active
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 222642176, crypto-map: Venecia-Internet
sa timing: remaining key lifetime (kB/sec): (4331520/5117)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x6FBCCA0D (1874643469)
SA State: active
transform: esp-aes esp-sha-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 2, IKEv2, }
slot: 0, conn_id: 222642176, crypto-map: Venecia-Internet
sa timing: remaining key lifetime (kB/sec): (4249250/5117)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001