Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
317
Views
0
Helpful
3
Replies

Duplicate SA

bluesea2010
Level 5
Level 5

‎10-22-2022 10:57 PM

 

The below has two SA for the same network
The first one has no encaps and second one shows the packet are encapsulated
The first one has decaps and second one shows the packet are not decapsulated

How to fix the issue

Crypto map tag: Test seq num: 3, local addr: OUTSIDEIP
access-list Outside_cryptomap_2 extended permit ip 172.16.10.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: Remotepeerip


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 19898, #pkts decrypt: 19898, #pkts verify: 19898
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
<--- More --->

#send errors: 0, #recv errors: 0

local crypto endpt.: OUTSIDEIP/500, remote crypto endpt.: Remotepeerip/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C89E34D8
current inbound spi : 24E62A34

inbound esp sas:
spi: 0x24E62A34 (619063860)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 82362368, crypto-map: Test
sa timing: remaining key lifetime (kB/sec): (95231992/2933)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC89E34D8 (3365811416)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 82362368, crypto-map: Test
<--- More --->

sa timing: remaining key lifetime (kB/sec): (90112000/2933)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001


2)
Crypto map tag: Test, seq num: 3, local addr: OUTSIDEIP

access-list Outside_cryptomap_2 extended permit ip 172.16.10.0 255.255.255.0 172.21.22.0 255.255.255.0
local ident (addr/mask/prot/port): (172.16.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.21.22.0/255.255.255.0/0/0)
current_peer: Remotepeerip


#pkts encaps: 10846260, #pkts encrypt: 10846260, #pkts digest: 10846260
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 10846260, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

<--- More --->

local crypto endpt.: OUTSIDEIP/500, remote crypto endpt.: Remotepeerip/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: C4E52459
current inbound spi : C6E755F1

inbound esp sas:
spi: 0xC6E755F1 (3337049585)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 74665984, crypto-map: Test
sa timing: remaining key lifetime (kB/sec): (94207999/0)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0xC4E52459 (3303351385)
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 5, IKEv2, }
slot: 0, conn_id: 74665984, crypto-map: Test
sa timing: remaining key lifetime (kB/sec): (88451347/0)
IV size: 16 bytes
<--- More --->

replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Thanks

Labels:
0 Helpful
3 Replies 3

MHM Cisco World
VIP
VIP

‎10-23-2022 02:08 AM

asymetric routing here, 
path from A->B is different than path from B->A

0 Helpful

bluesea2010
Level 5
Level 5
In response to MHM Cisco World

‎10-23-2022 02:56 AM

Hi,

There is no assymetric routing , there is sonly single path 

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to bluesea2010

‎10-23-2022 03:33 AM

you use VTI or crypto map ??

0 Helpful
Customers Also Viewed These Support Documents