Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
0
Helpful
1
Replies

Two SA's showing for single gre over ipsec tunnel

John McNumara
Level 1
Level 1

‎08-08-2013 10:18 AM - edited ‎03-04-2019 08:42 PM

I have a GRE over IPSec tunnel between two locations.  Here is the following output I have a question about:

router1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
a.a.a.a    b.b.b.b     QM_IDLE           1001 ACTIVE
b.b.b.b   a.a.a.a      QM_IDLE           1002 ACTIVE

router1#sh crypto session
Crypto session current status

Interface: Tunnel0
Session status: UP-ACTIVE
Peer: b.b.b.b port 500
  IKEv1 SA: local a.a.a.a/500 remote b.b.b.b/500 Active
  IKEv1 SA: local a.a.a.a/500 remote b.b.b.b/500 Active
  IPSEC FLOW: permit 47 host a.a.a.a host b.b.b.b

  Active SAs: 6, origin: crypto map

On another ipsec site-to-site vpn, I am showing one conn-id.  Why are there two here?  Also, why are there 6's SA's?

Thanks for helping me understand this

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎08-11-2013 12:35 PM

John

We do not have enough information here to be able to accurately diagnose the problem. Your description suggests that perhaps your router opens a session to the peer and the peer opens its own session to you rather than sending back over your session. Can you confirm that the configuration of both peers are mirror images of each other as far as the crypto is concerned? Perhaps you can post the configuration of this router as a starting point for us to try to find the problem?

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents