cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

3083
Views
0
Helpful
0
Replies
Highlighted
Beginner

show ipsec sa send errors

Hello, I have problems with a network that add to our Router 800, show ipsec sa send errors to the 172.17.0.0 network which I can not get it to connect, I spend my configuration:

ip nat pool branch 200.89.177.111 200.89.177.111 netmask 255.255.255.248

ip nat inside source route-map nonat pool branch overload

!

access-list 120 remark SDM_ACL Category=20

access-list 120 permit ip 172.30.19.192 0.0.0.63 200.49.83.0 0.0.0.255

access-list 120 permit ip 172.30.19.192 0.0.0.63 172.17.0.0 0.0.255.255

access-list 130 deny   ip 172.30.19.192 0.0.0.63 200.49.83.0 0.0.0.255

access-list 130 deny   ip 172.30.19.192 0.0.0.63 172.17.0.0 0.0.255.255

access-list 130 permit ip 172.30.19.192 0.0.0.63 any

y el show crypto ipsec sa:

SOAPL-VPN#show crypto ipsec sa

interface: FastEthernet4

    Crypto map tag: nolan, local addr 200.89.177.211

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.30.19.192/255.255.255.192/0/0)

   remote ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)

   current_peer 200.71.232.2 port 500

     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 391, #recv errors 0

     local crypto endpt.: 200.89.177.211, remote crypto endpt.: 200.71.232.2

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.30.19.192/255.255.255.192/0/0)

   remote ident (addr/mask/prot/port): (200.49.83.0/255.255.255.0/0/0)

   current_peer 200.71.232.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 15475, #pkts encrypt: 15475, #pkts digest: 15475

    #pkts decaps: 15734, #pkts decrypt: 15734, #pkts verify: 15734

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 200.89.177.211, remote crypto endpt.: 200.71.232.2

     path mtu 1500, ip mtu 1500

     current outbound spi: 0xE21A0585(3793356165)

     inbound esp sas:

      spi: 0xE7E8C6A7(3890792103)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 3, flow_id: C87X_MBRD:3, crypto map: nolan

        sa timing: remaining key lifetime (k/sec): (4386876/86369)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xE21A0585(3793356165)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 4, flow_id: C87X_MBRD:4, crypto map: nolan

        sa timing: remaining key lifetime (k/sec): (4386876/86369)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Hopefully they can help me.

thank you very muchHopefully they can help me.

thank you very much

Hello, I have problems with a network that add to our Router 800, show ipsec sa send errors to the 172.17.0.0 network which I can not get it to connect, I spend my configuration:

ip nat pool branch 200.89.177.111 200.89.177.111 netmask 255.255.255.248

ip nat inside source route-map nonat pool branch overload

!

access-list 120 remark SDM_ACL Category=20

access-list 120 permit ip 172.30.19.192 0.0.0.63 200.49.83.0 0.0.0.255

access-list 120 permit ip 172.30.19.192 0.0.0.63 172.17.0.0 0.0.255.255

access-list 130 deny   ip 172.30.19.192 0.0.0.63 200.49.83.0 0.0.0.255

access-list 130 deny   ip 172.30.19.192 0.0.0.63 172.17.0.0 0.0.255.255

access-list 130 permit ip 172.30.19.192 0.0.0.63 any

y el show crypto ipsec sa:

SOAPL-VPN#show crypto ipsec sa

interface: FastEthernet4

    Crypto map tag: nolan, local addr 200.89.177.211

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.30.19.192/255.255.255.192/0/0)

   remote ident (addr/mask/prot/port): (172.17.0.0/255.255.0.0/0/0)

   current_peer 200.71.232.2 port 500

     PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 391, #recv errors 0

     local crypto endpt.: 200.89.177.211, remote crypto endpt.: 200.71.232.2

     path mtu 1500, ip mtu 1500

     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (172.30.19.192/255.255.255.192/0/0)

   remote ident (addr/mask/prot/port): (200.49.83.0/255.255.255.0/0/0)

   current_peer 200.71.232.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 15475, #pkts encrypt: 15475, #pkts digest: 15475

    #pkts decaps: 15734, #pkts decrypt: 15734, #pkts verify: 15734

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: 200.89.177.211, remote crypto endpt.: 200.71.232.2

     path mtu 1500, ip mtu 1500

     current outbound spi: 0xE21A0585(3793356165)

     inbound esp sas:

      spi: 0xE7E8C6A7(3890792103)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 3, flow_id: C87X_MBRD:3, crypto map: nolan

        sa timing: remaining key lifetime (k/sec): (4386876/86369)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xE21A0585(3793356165)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel, }

        conn id: 4, flow_id: C87X_MBRD:4, crypto map: nolan

        sa timing: remaining key lifetime (k/sec): (4386876/86369)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Hopefully they can help me.

thank you very muchHopefully they can help me.

thank you very much