Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
612
Views
0
Helpful
0
Replies

Multiple IKE Peers in "show crypto isakmp"?

noemi.berry
Level 1
Level 1

‎07-06-2015 03:14 PM

 

We have an L2L tunnel configured between two Cisco ASA 5585Xs, and could use some help interpreting the output of "show crypto isakmp."

The tunnel had some problems last week -- "hanging" and not passing traffic.  A coworker captured "show crypto isakmp" while the tunnel was trying to come back up after a clear.

What could cause the peer to appear more than once?   And, appears as both initiator and responder?

 

    13  IKE Peer: X.X.X.X

        Type    : user            Role    : responder 

        Rekey   : no              State   : MM_WAIT_MSG3

    14  IKE Peer: X.X.X.X

        Type    : user            Role    : responder 

        Rekey   : no              State   : MM_WAIT_MSG3

    15  IKE Peer: X.X.X.X

        Type    : user            Role    : initiator 

        Rekey   : no              State   : MM_WAIT_MSG2

 

Then when it went MM_ACTIVE a few minutes later, it decided that one of the "responder" SAs won.

Also, why does it start out as Type "user" ?  Ultimately it settles on "L2L":

 

    8   IKE Peer: X.X.X.X

        Type    : L2L             Role    : responder 

        Rekey   : no              State   : MM_ACTIVE

 

This final output appears healthy, but are the captured states normal / expected?  It got stuck there in MM_WAIT states for a while.

Lacking the explicit keyword "initiate-only" in both side's configs, who is initiator and who is responder?  The configs are identical on both sides except for IP addresses.

Unfortunately, it appears the tunnels were in state MM_ACTIVE when they stopped passing traffic, so that's another mystery (we didn't capture encaps/decaps stats on the phase 2 SAs).

 

Configs (identical both sides):

 

Site A (where the "show crypto isakmp" capture was taken):

 

crypto map MY-CRYPTO-MAP 1 match address OUTSIDE_cryptomap

crypto map MY-CRYPTO-MAP 1 set pfs

crypto map MY-CRYPTO-MAP 1 set peer X.X.X.X

crypto map MY-CRYPTO-MAP 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map MY-CRYPTO-MAP 1 set nat-t-disable

 

group-policy GroupPolicy_X.X.X.X internal

group-policy GroupPolicy_X.X.X.X attributes

 vpn-tunnel-protocol ikev1

 

tunnel-group X.X.X.X type ipsec-l2l

tunnel-group X.X.X.X general-attributes

 default-group-policy GroupPolicy_X.X.X.X

 

tunnel-group X.X.X.X ipsec-attributes

 ikev1 pre-shared-key *****

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

 

 

Site EUR:

 

crypto map MY-CRYPTO-MAP 1 match address OUTSIDE_cryptomap

crypto map MY-CRYPTO-MAP 1 set pfs

crypto map MY-CRYPTO-MAP 1 set peer Y.Y.Y.Y

crypto map MY-CRYPTO-MAP 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map MY-CRYPTO-MAP 1 set nat-t-disable

 

group-policy GroupPolicy_Y.Y.Y.Y internal

group-policy GroupPolicy_Y.Y.Y.Y attributes

 vpn-tunnel-protocol ikev1

 

tunnel-group Y.Y.Y.Y type ipsec-l2l

tunnel-group Y.Y.Y.Y general-attributes

 default-group-policy GroupPolicy_Y.Y.Y.Y

 

tunnel-group Y.Y.Y.Y ipsec-attributes

 ikev1 pre-shared-key *****

 ikev2 remote-authentication pre-shared-key *****

 ikev2 local-authentication pre-shared-key *****

 

 

Thanks for any help, pointers, insights!

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents