cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
885
Views
10
Helpful
16
Replies
Cisco Employee

Hi,

Hi,

Can you share the sh cry ipsec sa from both the ASA's?

It either seems a route issue or rules on one of the ASA's.

Regards,

Aditya

Please rate helpful and mark correct answers

Highlighted

Here are those commands:

Here are those commands:

asa1# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map0, seq num: 2, local addr: 1.1.1.2

access-list outside_cryptomap_3 extended permit ip 172.16.0.0 255.255.0.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
current_peer: 2.2.2.2


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 1.1.1.2/500, remote crypto endpt.: 2.2.2.2/500
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 95D4DD40
current inbound spi : 3B2D06DD

inbound esp sas:
spi: 0x3B2D06DD (992806621)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 1671168, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (91135999/27638)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000000F
outbound esp sas:
spi: 0x95D4DD40 (2513755456)
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 1671168, crypto-map: outside_map0
sa timing: remaining key lifetime (kB/sec): (90112000/27638)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

And on asa2:

asa2# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 2.2.2.2

access-list outside_cryptomap_2 extended permit ip 192.168.1.0 255.255.255.0 172.16.0.0 255.255.0.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.0.0/0/0)
current_peer: 1.1.1.2


#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 2.2.2.2/500, remote crypto endpt.: 1.1.1.2/500
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 3B2D06DD
current inbound spi : 95D4DD40

inbound esp sas:
spi: 0x95D4DD40 (2513755456)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 250966016, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4008960/27693)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0x3B2D06DD (992806621)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 250966016, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4331519/27693)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001