This is not really a valid

aselioscisco · ‎06-29-2016

Hi,

We have a VPN IPSec Site to Site configured between Cisco ASR 1001 and Cisco 881, both routers has 2 WAN IP L3, connections to different ISPs. Then we have a situation where the IPSec peers had 2 IKE SA ACTIVE and we don't know why. Have you any idea ?

Therefore the branch router has CPU spikes (High consume), and we suspect that this IPSec behaviour could be related.

Cisco ASR 1001: Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.2(1)S1, RELEASE SOFTWARE (fc2)
Cisco ISR 881:Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.4(2)T1, RELEASE SOFTWARE (fc3)

r-edge.branch#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.22.1.6      172.22.2.38     QM_IDLE           2044 ACTIVE
172.22.2.38     172.22.1.6      QM_IDLE           2043 ACTIVE
IPv6 Crypto ISAKMP SA
r-edge.branch#

r-edge.branch#sh crypto session 
Crypto session current status

Interface: FastEthernet4
Session status: UP-ACTIVE 
Peer: 172.22.1.6 port 500 
 Session ID: 0 
 IKEv1 SA: local 172.22.2.38/500 remote 172.22.1.6/500 Active 
 Session ID: 0 
 IKEv1 SA: local 172.22.2.38/500 remote 172.22.1.6/500 Active 
 IPSEC FLOW: permit ip host 10.251.10.198 host 192.168.109.1 
 Active SAs: 0, origin: crypto map
 IPSEC FLOW: permit ip host 192.168.10.4 host 192.168.109.37 
 Active SAs: 0, origin: crypto map
 IPSEC FLOW: permit ip host 10.252.1.141 10.10.14.0/255.255.255.0 
 Active SAs: 2, origin: crypto map
 IPSEC FLOW: permit ip host 10.252.1.141 host 192.168.109.2 
 Active SAs: 0, origin: crypto map
 IPSEC FLOW: permit ip host 10.252.1.141 host 192.168.109.1 
 Active SAs: 2, origin: crypto map
 IPSEC FLOW: permit ip host 10.252.1.141 host 192.100.1.7 
 Active SAs: 4, origin: crypto map
 IPSEC FLOW: permit ip host 192.168.15.129 host 192.168.109.1 
 Active SAs: 0, origin: crypto map

Interface: Vlan2
Session status: DOWN
Peer: 172.25.1.6 port 500 
 IPSEC FLOW: permit ip host 10.251.10.198 host 192.168.109.1 
 Active SAs: 0, origin: crypto map
 IPSEC FLOW: permit ip host 192.168.10.4 host 192.168.109.37 
 Active SAs: 0, origin: crypto map
 IPSEC FLOW: permit ip host 10.252.1.141 10.10.14.0/255.255.255.0 
 Active SAs: 0, origin: crypto map
 IPSEC FLOW: permit ip host 10.252.1.141 host 192.168.109.2 
 Active SAs: 0, origin: crypto map
 IPSEC FLOW: permit ip host 10.252.1.141 host 192.168.109.1 
 Active SAs: 0, origin: crypto map
 IPSEC FLOW: permit ip host 10.252.1.141 host 192.100.1.7 
 Active SAs: 0, origin: crypto map
 IPSEC FLOW: permit ip host 192.168.15.129 host 192.168.109.1 
 Active SAs: 0, origin: crypto map

r-edge.branch#
r-edge.branch#sh ip route 172.22.1.6
Routing entry for 172.22.1.4/30
  Known via "bgp 64531", distance 20, metric 0
  Tag 65500, type external
  Last update from 172.22.2.37 1d22h ago
  Routing Descriptor Blocks:
  * 172.22.2.37, from 172.22.2.37, 1d22h ago
      Route metric is 0, traffic share count is 1
      AS Hops 2
      Route tag 65500
      MPLS label: none
r-edge.branch#
r-edge.branch#sh ip bgp summary 
BGP router identifier 10.14.15.51, local AS number 64531
BGP table version is 109, main routing table version 109
877 network entries using 126288 bytes of memory
1596 path entries using 127680 bytes of memory
306/8 BGP path/bestpath attribute entries using 46512 bytes of memory
106 BGP AS-PATH entries using 4176 bytes of memory
119 BGP community entries using 2856 bytes of memory
4 BGP route-map cache entries using 144 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 307656 total bytes of memory
1475 received paths for inbound soft reconfiguration
BGP activity 1933/1056 prefixes, 21504/19908 paths, scan interval 60 secs
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.22.2.37     4        28103   66678   35950      109    0    0 3w1d           50
172.25.2.37     4        65000   52693   30483      109    0    0 2w5d           52
r-edge.branch#

Branch router crypto map configuration

crypto map cryptomap_ISP1 30 ipsec-isakmp 
 set peer 172.22.1.6 default
 set peer 172.22.1.2
 set transform-set 3des_sha 
 match address ACL-IPSEC
!
crypto map cryptomap_ISP2 30 ipsec-isakmp 
 set peer 172.25.1.6 default
 set peer 172.25.1.2
 set transform-set 3des_sha 
 match address ACL-IPSEC

interface FastEthernet4
 description ISP1
 bandwidth 4000
 ip address 172.22.2.38 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map cryptomap_ISP1
 service-policy output SHAPER_ISP1_v1
!
interface Vlan2
 description ISP2
 bandwidth 4000
 ip address 172.25.2.38 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 crypto map cryptomap_ISP2
 service-policy output WAN_QOS_ISP2

Thanks in advance.

Philip D'Ath · ‎06-29-2016

This is not really a valid config.

You have one router with two crypto maps pointing to the same destination. How can the router get to the same destinations via two different interfaces? How does the routing allow this?

It can't.

aselioscisco · ‎06-29-2016

Philip,

Always there is only one possible path to destination so always the router has only one route installed to reach the destination.

In other words, the router branch has installed all routes to reach destination through ISP1, if ISP1 goes down then the branch router install one routes through ISP2. The WAN links are used like ACTIVE/PASSIVE scenario.

The IKE SA and IPSec SA initiate (will become active) only when a interesting traffic reach the crypto map applied on WAN interfaces (outgoing or incoming traffic).

r-edge.branch#sh ip route 192.168.109.1
Routing entry for 192.168.109.0/29
 Known via "bgp 64531", distance 20, metric 0
 Tag 65500, type external
 Last update from 172.22.2.37 3w1d ago
 Routing Descriptor Blocks:
 * 172.22.2.37, from 172.22.2.37, 3w1d ago
 Route metric is 0, traffic share count is 1
 AS Hops 3
 Route tag 65500
 MPLS label: none
r-edge.branch#

r-edge.branch#sh ip bgp 192.168.109.1
BGP routing table entry for 192.168.109.0/29, version 63
Paths: (4 available, best #3, table default)
 Not advertised to any peer
 Refresh Epoch 1
 65500 65500 65000 65500
 172.25.2.37 from 172.25.2.37 (172.30.17.1)
 Origin incomplete, localpref 100, weight 32800, valid, external
 Community: 65102:2003
 rx pathid: 0, tx pathid: 0
 Refresh Epoch 1
 65500 65000 65500, (received-only)
 172.25.2.37 from 172.25.2.37 (172.30.17.1)
 Origin incomplete, localpref 100, valid, external
 Community: 65102:2003
 rx pathid: 0, tx pathid: 0
 Refresh Epoch 1
 65500 28103 28103
 172.22.2.37 from 172.22.2.37 (10.20.29.36)
 Origin incomplete, localpref 100, weight 32800, valid, external, best
 Community: 65101:2001
 rx pathid: 0, tx pathid: 0x0
 Refresh Epoch 1
 65500 28103 28103, (received-only)
 172.22.2.37 from 172.22.2.37 (10.20.29.36)
 Origin incomplete, localpref 100, valid, external
 Community: 65101:2001
 rx pathid: 0, tx pathid: 0
r-edge.branch#

Philip D'Ath · ‎06-29-2016

The problem is this will make the router to 'fight' to bring up both VPNs, with one guaranteed to fail, hence causing your spikes in CPU. You need to use a different design.

A good solution would be to terminate the second ISP VPN onto a different interface on the ASR. Then all VPNs could come up at the same time.

aselioscisco · ‎06-29-2016

That's the actual design. At the head office router there is a 2 interfaces one connected to ISP1 and the other connected to ISP2.

Here is the interfaces configuration at Head Office (central)

interface FastEthernet0/1/0
 description ISP1
 bandwidth 30000
 ip address 172.22.1.6 255.255.255.252
 ip nat outside
 ip flow ingress
 ip flow egress
 load-interval 30
 negotiation auto
 crypto map cryptomap_ISP1_HO
 service-policy output SHAPER_ISP1_v1
!

interface FastEthernet0/1/1.311
 description ISP2
 bandwidth 30000
 encapsulation dot1Q 311
 ip address 172.25.1.6 255.255.255.252
 ip nat outside
 ip flow ingress
 ip flow egress
 crypto map cryptomap_ISP2_HO
 service-policy output SHAPER_ISP2_v1

Two IKE SA between same peers