03-31-2017 10:45 AM - edited 02-21-2020 09:13 PM
The ACL for the vpn is creating two different sa's.
10.0.0.0/8 ACL creates 10.0.0.0/8 SA and 10.0.0.0/11 SA. The SA with /8 mask will be up for just a moment before being torn down again, and then it will stay down for a while.
Has anyone seen this before, or have an idea what might be going on?
# show cry ips sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1
access-list AZURE-VPN extended permit ip 10.0.0.0 255.0.0.0 172.31.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.31.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 3, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C3FAA14C
current inbound spi : B8CC62B8
Crypto map tag: outside_map, seq num: 1, local addr: 1.1.1.1
access-list AZURE-VPN extended permit ip 10.0.0.0 255.0.0.0 172.31.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.0.0.0/255.224.0.0/0/0)
remote ident (addr/mask/prot/port): (172.31.0.0/255.255.0.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 836275, #pkts encrypt: 836275, #pkts digest: 836275
#pkts decaps: 1147983, #pkts decrypt: 1147983, #pkts verify: 1147983
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 836275, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1/0, remote crypto endpt.: 2.2.2.2/0
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 64E1B168
current inbound spi : 036C87C7
04-01-2017 04:32 AM
Hi ,
I suppose you might have two IP's in the 10.0.0.0/8 Subnet which are communicating and traversing the firewall.
Thanks
05-17-2017 07:11 PM
This issue ended up resolving itself. We believe it was some state information from a previous config that didn't cleared properly when the new config was applied.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide