cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA - How to troubleshoot VPN L2L - Ensure traffic is passing through VPN

2190
Views
0
Helpful
1
Comments

The goal of that document is to give some hints on how to validate that traffic is passing through an IPSEC VPN and be sure it's passing through the right VPN. It's a high level troubleshooting.

A lot of people are asking question regarding this kind of troubleshooting, that's why I've decided to post a quick document on that topic


As per assumptions, to illustrate the output commands, we need to define Remote host, local host and IPSEC L2L Peer:

Local IP: 10.250.20.1/32
Remote IP: 10.110.100.9/32
VPN L2L Remote Peer address: 9.9.9.9
VPN L2L Local Peer address: 7.7.7.7


This procedure will show up 2 options to see if traffic is passing through the IPSEC L2L Tunnel.


1st Option:

This 1st option consist into checking on the crypto ipsec details that we have encaps and decaps packets. This is a high level view of viewing traffic passing through IPSEC tunnel. Important values are highlighted in Red in the output below:


ASA# sh crypto ipsec sa peer 9.9.9.9

Crypto map tag: outside_map, seq num: 6, local addr: 7.7.7.7

access-list CRYPTO_ACL extended permit ip 10.250.20.0 255.255.255.0 10.0.0.0 255.0.0.0

local ident (addr/mask/prot/port): (10.250.20.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

current_peer: 9.9.9.9

#pkts encaps: 140, #pkts encrypt: 140, #pkts digest: 140

#pkts decaps: 133, #pkts decrypt: 133, #pkts verify: 133

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 140, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 7.7.7.7, remote crypto endpt.: 9.9.9.9

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: A7A3D3DA

current inbound spi : 70CDBE59

[...] Output has been truncated.

2nd Option:

The 2nd option consist into using packet-trace functionality and verify that the output traffic is going through the right IPSEC tunnel.

The 1st step is to run a packet-tracer with detailed information and concentrate into the VPN encrypt phase (take the user_data value):


ASA# packet-tracer input inside icmp 10.250.20.1 8 0 10.110.100.9 detailed

[...] Output has been truncated.

Phase: 9

Type: VPN

Subtype: encrypt

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

out id=0x77a04c38, priority=70, domain=encrypt, deny=false

hits=2, user_data=0x3346d04, cs_id=0x76c6dab8, reverse, flags=0x0, protocol=0

src ip=10.250.20.0, mask=255.255.255.0, port=0

dst ip=10.0.0.0, mask=255.0.0.0, port=0, dscp=0x0

[...] Output has been truncated.

We need to take the number highlighted in red in the output below and check it into the asp table for VPN-Context (be careful the VPN Context value is case sensitive and must be always in capital letter):


ASA# sh asp table vpn-context detail | beg 3346D

VPN CTX = 0x03346D04


Peer IP = 10.0.0.0

Pointer = 0x77ACAFC8

State = UP

Flags = ENCR+ESP

SA = 0x564A5737

SPI = 0x8367781F

Group = 0

Pkts = 0

Bad Pkts = 0

Bad SPI = 0

Spoof = 0

Bad Crypto = 0

Rekey Pkt = 0

Rekey Call = 0

VPN Filter = <none>


If the SPI value highlighted in red in the below output match the value Current Outbound SPI from the show crypto ipsec sa peer 9.9.9.9 that means the traffic is passing through the right IPSEC tunnel. If not you need to check into this table to see which L2L tunnel the traffic is passing through.

Crypto map tag: outside_map, seq num: 6, local addr: 7.7.7.7


access-list CRYPTO_ACL extended permit ip 10.250.20.0 255.255.255.0 10.0.0.0 255.0.0.0

local ident (addr/mask/prot/port): (10.250.20.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)

current_peer: 9.9.9.9

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0


local crypto endpt.: 7.7.7.7, remote crypto endpt.: 9.9.9.9


path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 8367781F

current inbound spi : 18796DDF

[...] Output has been truncated.

Comments
Beginner

This is the non-working subnet.

ciscoasa# packet-tracer input inside icmp 192.168.1.1 8 0 192.168.12.1 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8cbd78, priority=1, domain=permit, deny=false
hits=171555850, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in_1 in interface Inside control-plane
access-list Inside_access_in_1 extended permit ip any any
access-list Inside_access_in_1 remark TS-RDP
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabbc0120, priority=12, domain=permit, deny=false
hits=6781317, user_data=0xa8a92fc0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8ce588, priority=0, domain=permit-ip-option, deny=true
hits=10180971, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac508518, priority=70, domain=inspect-icmp-error, deny=false
hits=1628456, user_data=0xac507e78, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description ICMP
class inspection_default
inspect icmp error
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac509ee8, priority=70, domain=inspect-icmp, deny=false
hits=1628456, user_data=0xac509848, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac488b98, priority=12, domain=ipsec-tunnel-flow, deny=true
hits=8855314, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip Inside Inside 255.255.255.0 Outside 192.168.12.0 255.255.255.0
NAT exempt
translate_hits = 35382, untranslate_hits = 12932
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac9ead70, priority=6, domain=nat-exempt, deny=false
hits=35634, user_data=0xac983598, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=Inside, mask=255.255.255.0, port=0
dst ip=192.168.12.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 101 0.0.0.0 0.0.0.0
match ip Inside any Outside any
dynamic translation to pool 101 (67.55.158.241 [Interface PAT])
translate_hits = 2607936, untranslate_hits = 540073
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabb50c28, priority=1, domain=nat, deny=false
hits=6074570, user_data=0xabb50b68, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 101 0.0.0.0 0.0.0.0
match ip Inside any Outside any
dynamic translation to pool 101 (67.55.158.241 [Interface PAT])
translate_hits = 2607936, untranslate_hits = 540073
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabb50f80, priority=1, domain=host, deny=false
hits=10401112, user_data=0xabb50b68, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 12
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xacc47cd0, priority=70, domain=encrypt, deny=false
hits=205678, user_data=0x1e69bc, cs_id=0xac463870, reverse, flags=0x0, protocol=0
src ip=Inside, mask=255.255.255.0, port=0
dst ip=192.168.12.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xab887f38, priority=0, domain=permit-ip-option, deny=true
hits=7721471, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9536705, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow


ciscoasa# sh asp table vpn-context detail | beg 1E69B
VPN CTX = 0x001E69BC

Peer IP = 192.168.12.0
Pointer = 0xAD022278
State = UP
Flags = ENCR+ESP
SA = 0x0D70C01F
SPI = 0xC07E5892
Group = 2
Pkts = 209560
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 0
Rekey Call = 0

Crypto map tag: Outside_map0, seq num: 1, local addr: 67.55.158.241

access-list Outside_cryptomap_2 permit ip Inside 255.255.255.0 192.168.12.0 255.255.255.0
local ident (addr/mask/prot/port): (Inside/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
current_peer: 192.30.184.237

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 67.55.158.241, remote crypto endpt.: 192.30.184.237

path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: C81A0561

inbound esp sas:
spi: 0xA58AD63F (2777339455)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 6008832, crypto-map: Outside_map0
sa timing: remaining key lifetime (sec): 3394
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0xC81A0561 (3357148513)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 6008832, crypto-map: Outside_map0
sa timing: remaining key lifetime (sec): 3394
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

 

 

This is a working subnet.

ciscoasa# packet-tracer input inside icmp 192.168.5.1 8 0 192.168.12.1 detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8cbd78, priority=1, domain=permit, deny=false
hits=171625432, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside_access_in_1 in interface Inside control-plane
access-list Inside_access_in_1 extended permit ip any any
access-list Inside_access_in_1 remark TS-RDP
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabbc0120, priority=12, domain=permit, deny=false
hits=6782327, user_data=0xa8a92fc0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8ce588, priority=0, domain=permit-ip-option, deny=true
hits=10182353, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac508518, priority=70, domain=inspect-icmp-error, deny=false
hits=1628662, user_data=0xac507e78, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
description ICMP
class inspection_default
inspect icmp error
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac509ee8, priority=70, domain=inspect-icmp, deny=false
hits=1628662, user_data=0xac509848, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac50d770, priority=70, domain=inspect-dns-np, deny=true
hits=434769, user_data=0xac50bbb8, cs_id=0x0, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac488b98, priority=12, domain=ipsec-tunnel-flow, deny=true
hits=8857551, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 10
Type: NAT-EXEMPT
Subtype:
Result: ALLOW
Config:
match ip Inside 192.168.5.0 255.255.255.0 Outside 192.168.12.0 255.255.255.0
NAT exempt
translate_hits = 150480, untranslate_hits = 6
Additional Information:
Forward Flow based lookup yields rule:
in id=0xaca313a0, priority=6, domain=nat-exempt, deny=false
hits=158125, user_data=0xab9c83c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=192.168.12.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 11
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,Inside) 192.168.5.0 192.168.5.0 netmask 255.255.255.0
match ip Inside 192.168.5.0 255.255.255.0 Inside any
static translation to 192.168.5.0
translate_hits = 0, untranslate_hits = 438129
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab8a5d38, priority=5, domain=host, deny=false
hits=928560, user_data=0xabbb62d0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 12
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 101 0.0.0.0 0.0.0.0
match ip Inside any Outside any
dynamic translation to pool 101 (67.55.158.241 [Interface PAT])
translate_hits = 2608399, untranslate_hits = 540156
Additional Information:
Forward Flow based lookup yields rule:
in id=0xabb50c28, priority=1, domain=nat, deny=false
hits=6076515, user_data=0xabb50b68, cs_id=0x0, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 13
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0xac901b70, priority=70, domain=encrypt, deny=false
hits=1869, user_data=0xc06c54, cs_id=0xac794ae8, reverse, flags=0x0, protocol=0
src ip=192.168.5.0, mask=255.255.255.0, port=0
dst ip=192.168.12.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 14
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac9df298, priority=69, domain=ipsec-tunnel-flow, deny=false
hits=1821, user_data=0xc098ac, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=192.168.12.0, mask=255.255.255.0, port=0
dst ip=192.168.5.0, mask=255.255.255.0, port=0, dscp=0x0

Phase: 15
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xab887f38, priority=0, domain=permit-ip-option, deny=true
hits=7723213, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Phase: 16
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9537923, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

ciscoasa#

ciscoasa# sh asp table vpn-context detail | beg C06C5
VPN CTX = 0x00C06C54

Peer IP = 192.168.12.0
Pointer = 0xACAACA60
State = UP
Flags = ENCR+ESP
SA = 0x373EDF23
SPI = 0xC85A295B
Group = 2
Pkts = 556334
Bad Pkts = 0
Bad SPI = 0
Spoof = 0
Bad Crypto = 0
Rekey Pkt = 31
Rekey Call = 31


Crypto map tag: Outside_map0, seq num: 1, local addr: 67.55.158.241

access-list Outside_1_cryptomap permit ip 192.168.5.0 255.255.255.0 192.168.12.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.5.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.12.0/255.255.255.0/0/0)
current_peer: 192.30.184.237

#pkts encaps: 557409, #pkts encrypt: 557409, #pkts digest: 557409
#pkts decaps: 405524, #pkts decrypt: 405524, #pkts verify: 405524
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 557409, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 67.55.158.241, remote crypto endpt.: 192.30.184.237

path mtu 1500, ipsec overhead 74, media mtu 1500
current outbound spi: C85A295B

inbound esp sas:
spi: 0xCDA20C53 (3449949267)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 696320, crypto-map: Outside_map0
sa timing: remaining key lifetime (sec): 1910
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC85A295B (3361352027)
transform: esp-aes-256 esp-md5-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, }
slot: 0, conn_id: 696320, crypto-map: Outside_map0
sa timing: remaining key lifetime (sec): 1910
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001