Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
331
Views
0
Helpful
2
Replies

IKEv1 SA session status

Brian Whelan
Level 1
Level 1

‎11-09-2016 07:22 AM - edited ‎03-05-2019 07:26 AM

I have limited experience with IPSEC tunnels, and I'm looking for some perspective. 

I have configured a tunnel between a Cisco ISR 2911 router and a Meraki MX security appliance. A couple of days after the tunnel was established and network traffic was working fine, traffic stopped passing across the tunnel. When I looked at the status of the tunnel using 'sh crypto session' i saw that there were two distinct sessions to the same peer using port 500 and 4500. One was negotiating while the other was up. I'm assuming that the second session disrupted the traffic flow.

After reviewing the configuration I removed any potentially conflicting statements on the Cisco that still existed from testing with other configured tunnels previously. I also removed any protocols from the site-to-site VPN config on the Meraki device that were not in use, fearing they were causing a problem.

I reset the tunnel and everything came back fine. As a precaution, I have been periodically looking at the status of the tunnel to see if the problem was truly resolved. Everything appeared to be fine for two days. This morning I ran 'sh crypto session' and I see two IKEv1 SA's (both on port 4500) listed under the peer. A short while later the SA disappears (so there is only one). I'm not sure if this is normal behavior or if there is still something unusual about my configured state.

Can anyone shed any light on whether this behavior is expected?

Thanks.

Labels:
0 Helpful
2 Replies 2

Deepak Kumar
VIP Alumni
VIP Alumni

‎11-10-2016 09:08 AM

Hi Brain,

Can you share your configuration with IOS details.

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Brian Whelan
Level 1
Level 1
In response to Deepak Kumar

‎11-10-2016 10:58 AM

IOS version 15.1

Here is the parts of the config pertaining to the tunnel:

crypto logging session
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key <keyRedacted> address <redactedPeerIP>
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toColoPeer
set peer <redactedPeerIP>
set transform-set ESP-3DES-SHA
match address 101

interface GigabitEthernet0/2
description $FW_OUTSIDE$$ES_LAN$
ip address <redactedPublicIP> 255.255.255.240
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1


ip access-list extended NONAT
remark CCP_ACL Category=16
remark IPSec Rule
deny ip 10.1.0.0 0.0.255.255 172.17.0.0 0.0.255.255
deny ip 10.1.0.0 0.0.255.255 172.16.0.0 0.0.255.255
deny ip 10.1.0.0 0.0.255.255 172.18.0.0 0.0.255.255
permit ip 10.1.0.0 0.0.255.255 any
permit ip 192.0.0.0 0.255.255.255 any


access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.1.0.0 0.0.255.255 172.17.0.0 0.0.255.255
access-list 101 permit ip 10.1.0.0 0.0.255.255 172.18.0.0 0.0.255.255
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host <redactedPeerIP> any
access-list 102 permit ip host <redactedPeerIP> any

0 Helpful
Customers Also Viewed These Support Documents