Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1449
Views
2
Helpful
14
Replies

crypto ipsec security-association multi-sn

DraganSkundric87318
Level 1
Level 1

ā€Ž03-09-2023 01:56 AM

hi,

is it possible to configure 

crypto ipsec security-association multi-sn


per peer? I am trying to resolve anti-reply errors and this command needs to be configured on both side of ipsec tunnel. One router involved has many tunnels and I need to configure this only on one.

 

br 

Labels:
0 Helpful
14 Replies 14

M02@rt37
VIP
VIP

ā€Ž03-09-2023 02:15 AM

Hello @DraganSkundric87318 

No, it's not possible to configure the [crypto ipsec security-association multi-sn] command per peer. This command is a global configuration command that enables or disables the use of multiple SAs for a single IPsec peer.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

MHM Cisco World
VIP
VIP

ā€Ž03-09-2023 02:30 AM

under the crypto map for that peer there is 

set security-association multi-sn

 this way you can apply this command only for this peer

0 Helpful

DraganSkundric87318
Level 1
Level 1
In response to MHM Cisco World

ā€Ž03-09-2023 02:34 AM

I am using VTI's and there is no this set command under ipsec profile
0 Helpful

MHM Cisco World
VIP
VIP
In response to DraganSkundric87318

ā€Ž03-09-2023 03:09 AM

OK let me check how we can solve issue.

0 Helpful

M02@rt37
VIP
VIP
In response to DraganSkundric87318

ā€Ž03-09-2023 03:40 AM

@DraganSkundric87318 

What about this command 

crypto ipsec security-association multi-sn

Not in global mode but under the interface tunnel interface? 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

DraganSkundric87318
Level 1
Level 1
In response to M02@rt37

ā€Ž03-09-2023 06:34 AM

there is no this command in interface mode, only crypto ipsec df-bit and fragmentation

0 Helpful

MHM Cisco World
VIP
VIP
In response to DraganSkundric87318

ā€Ž03-09-2023 04:05 AM

ok the anti-reply issue can solve via three 
1- disable anti-reply 
2- change the size of window
3- config multi-seq num

why you can not use one of above two solution ?

0 Helpful

DraganSkundric87318
Level 1
Level 1
In response to MHM Cisco World

ā€Ž03-09-2023 04:10 AM

Well


1. I want to keep anti-reply protection
2. Max windows size does not help
3. I do not want to change this on few hundered locations

But looks like problem is mybe in qos/VTI combination so I will try to move qos policy from physical interface to tunnel
0 Helpful

MHM Cisco World
VIP
VIP
In response to DraganSkundric87318

ā€Ž03-09-2023 04:23 AM

understood, 
this command in in IOS XE, I need to return home and check CSR.
update you soon. 

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

ā€Ž03-09-2023 02:44 PM

Screenshot (363).png

I use CSr1000 IOS XE and there is set multi-sn under ipsec profile 
please check above 

0 Helpful

DraganSkundric87318
Level 1
Level 1

ā€Ž03-09-2023 10:46 PM

well on ASR 1001-x  ios xe 17.06.03a there is not 

 

(config-crypto-map)#set sec
(config-crypto-map)#set security-association ?
dfbit Handling of encapsulated DF bit.
dummy Enable transmitting dummy packets
ecn Handling of ECN bit
idle-time Automatically delete IPSec SAs after a given idle period.
level specify a security association granularity level for identities
lifetime security association lifetime
replay Set replay checking.

MHM Cisco World
VIP
VIP
In response to DraganSkundric87318

ā€Ž03-10-2023 02:42 AM

I think I found solution but I need to check some command reference first. 

0 Helpful

beverhart1993
Level 1
Level 1
In response to MHM Cisco World

ā€Ž07-24-2024 02:38 PM

Did you ever figure this out?

0 Helpful

MHM Cisco World
VIP
VIP
In response to beverhart1993

ā€Ž07-24-2024 03:26 PM

can you please make new post 

thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card