cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1630
Views
0
Helpful
4
Replies

Two IKE SA between same peers

aselioscisco
Level 1
Level 1

Hi,

We have a VPN IPSec Site to Site configured between Cisco ASR 1001 and Cisco 881, both routers has 2 WAN IP L3, connections to different ISPs. Then we have a situation where the IPSec peers had 2 IKE SA ACTIVE and we don't know why. Have you any idea ?

Therefore the branch router has CPU spikes (High consume), and we suspect that this IPSec behaviour could be related. 

  • Cisco ASR 1001: Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-ADVIPSERVICESK9-M), Version 15.2(1)S1, RELEASE SOFTWARE (fc2)
  • Cisco ISR 881:Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.4(2)T1, RELEASE SOFTWARE (fc3)

r-edge.branch#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
172.22.1.6      172.22.2.38     QM_IDLE           2044 ACTIVE
172.22.2.38     172.22.1.6      QM_IDLE           2043 ACTIVE
IPv6 Crypto ISAKMP SA
r-edge.branch#

r-edge.branch#sh crypto session
Crypto session current status

Interface: FastEthernet4
Session status: UP-ACTIVE
Peer: 172.22.1.6 port 500
Session ID: 0
IKEv1 SA: local 172.22.2.38/500 remote 172.22.1.6/500 Active
Session ID: 0
IKEv1 SA: local 172.22.2.38/500 remote 172.22.1.6/500 Active
IPSEC FLOW: permit ip host 10.251.10.198 host 192.168.109.1
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 192.168.10.4 host 192.168.109.37
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 10.252.1.141 10.10.14.0/255.255.255.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 10.252.1.141 host 192.168.109.2
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 10.252.1.141 host 192.168.109.1
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip host 10.252.1.141 host 192.100.1.7
Active SAs: 4, origin: crypto map
IPSEC FLOW: permit ip host 192.168.15.129 host 192.168.109.1
Active SAs: 0, origin: crypto map

Interface: Vlan2
Session status: DOWN
Peer: 172.25.1.6 port 500
IPSEC FLOW: permit ip host 10.251.10.198 host 192.168.109.1
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 192.168.10.4 host 192.168.109.37
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 10.252.1.141 10.10.14.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 10.252.1.141 host 192.168.109.2
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 10.252.1.141 host 192.168.109.1
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 10.252.1.141 host 192.100.1.7
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip host 192.168.15.129 host 192.168.109.1
Active SAs: 0, origin: crypto map

r-edge.branch#
r-edge.branch#sh ip route 172.22.1.6
Routing entry for 172.22.1.4/30
  Known via "bgp 64531", distance 20, metric 0
  Tag 65500, type external
  Last update from 172.22.2.37 1d22h ago
  Routing Descriptor Blocks:
  * 172.22.2.37, from 172.22.2.37, 1d22h ago
      Route metric is 0, traffic share count is 1
      AS Hops 2
      Route tag 65500
      MPLS label: none
r-edge.branch#
r-edge.branch#sh ip bgp summary 
BGP router identifier 10.14.15.51, local AS number 64531
BGP table version is 109, main routing table version 109
877 network entries using 126288 bytes of memory
1596 path entries using 127680 bytes of memory
306/8 BGP path/bestpath attribute entries using 46512 bytes of memory
106 BGP AS-PATH entries using 4176 bytes of memory
119 BGP community entries using 2856 bytes of memory
4 BGP route-map cache entries using 144 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 307656 total bytes of memory
1475 received paths for inbound soft reconfiguration
BGP activity 1933/1056 prefixes, 21504/19908 paths, scan interval 60 secs
Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
172.22.2.37     4        28103   66678   35950      109    0    0 3w1d           50
172.25.2.37     4        65000   52693   30483      109    0    0 2w5d           52
r-edge.branch#


Branch router crypto map configuration

crypto map cryptomap_ISP1 30 ipsec-isakmp 
set peer 172.22.1.6 default
set peer 172.22.1.2
set transform-set 3des_sha
match address ACL-IPSEC
!
crypto map cryptomap_ISP2 30 ipsec-isakmp
set peer 172.25.1.6 default
set peer 172.25.1.2
set transform-set 3des_sha
match address ACL-IPSEC

interface FastEthernet4
description ISP1
bandwidth 4000
ip address 172.22.2.38 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map cryptomap_ISP1
service-policy output SHAPER_ISP1_v1
!
interface Vlan2
description ISP2
bandwidth 4000
ip address 172.25.2.38 255.255.255.252
ip nat outside
ip virtual-reassembly in
crypto map cryptomap_ISP2
service-policy output WAN_QOS_ISP2

Thanks in advance.

4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

This is not really a valid config.

You have one router with two crypto maps pointing to the same destination.  How can the router get to the same destinations via two different interfaces?  How does the routing allow this?

It can't.

Philip,

Always there is only one possible path to destination so always the router has only one route installed  to reach the destination. 

In other words, the router branch has installed all routes to reach destination through ISP1, if ISP1 goes down then the branch router install one routes through ISP2. The WAN links are used like ACTIVE/PASSIVE scenario.

The IKE SA and IPSec SA initiate (will become active) only when a interesting traffic reach the crypto map applied on WAN interfaces (outgoing or incoming traffic).

r-edge.branch#sh ip route 192.168.109.1
Routing entry for 192.168.109.0/29
Known via "bgp 64531", distance 20, metric 0
Tag 65500, type external
Last update from 172.22.2.37 3w1d ago
Routing Descriptor Blocks:
* 172.22.2.37, from 172.22.2.37, 3w1d ago
Route metric is 0, traffic share count is 1
AS Hops 3
Route tag 65500
MPLS label: none
r-edge.branch#

r-edge.branch#sh ip bgp 192.168.109.1
BGP routing table entry for 192.168.109.0/29, version 63
Paths: (4 available, best #3, table default)
Not advertised to any peer
Refresh Epoch 1
65500 65500 65000 65500
172.25.2.37 from 172.25.2.37 (172.30.17.1)
Origin incomplete, localpref 100, weight 32800, valid, external
Community: 65102:2003
rx pathid: 0, tx pathid: 0
Refresh Epoch 1
65500 65000 65500, (received-only)
172.25.2.37 from 172.25.2.37 (172.30.17.1)
Origin incomplete, localpref 100, valid, external
Community: 65102:2003
rx pathid: 0, tx pathid: 0
Refresh Epoch 1
65500 28103 28103
172.22.2.37 from 172.22.2.37 (10.20.29.36)
Origin incomplete, localpref 100, weight 32800, valid, external, best
Community: 65101:2001
rx pathid: 0, tx pathid: 0x0
Refresh Epoch 1
65500 28103 28103, (received-only)
172.22.2.37 from 172.22.2.37 (10.20.29.36)
Origin incomplete, localpref 100, valid, external
Community: 65101:2001
rx pathid: 0, tx pathid: 0
r-edge.branch#

The problem is this will make the router to 'fight' to bring up both VPNs, with one guaranteed to fail, hence causing your spikes in CPU.  You need to use a different design.

A good solution would be to terminate the second ISP VPN onto a different interface on the ASR.  Then all VPNs could come up at the same time.

That's the actual design. At the head office router there is a 2 interfaces one connected to ISP1 and the other connected to ISP2.

Here is the interfaces configuration at Head Office (central)

interface FastEthernet0/1/0
description ISP1
bandwidth 30000
ip address 172.22.1.6 255.255.255.252
ip nat outside
ip flow ingress
ip flow egress
load-interval 30
negotiation auto
crypto map cryptomap_ISP1_HO
service-policy output SHAPER_ISP1_v1
!

interface FastEthernet0/1/1.311
description ISP2
bandwidth 30000
encapsulation dot1Q 311
ip address 172.25.1.6 255.255.255.252
ip nat outside
ip flow ingress
ip flow egress
crypto map cryptomap_ISP2_HO
service-policy output SHAPER_ISP2_v1