Encaps and decaps in different tunnels.

patrikdellhem · ‎08-18-2015

Hi.

I've seen a strange error occur multiple times the past week, but I can't figure out why this happens.

The customer reports a VPN as down. With "sh ipsec sa peer" I see the tunnel as up and there are encaps, but no decaps. If I scroll down there's a second identical tunnel, with decaps, but no encaps. A simple "clear ipsec sa peer" fixes the issue, but I'm trying to figure out the root cause.

Does anyone have a clue of why this happens?

Marcin Latosiewicz · ‎08-18-2015

To be honest it could be a number of things.

You can see multiple SAs (with same parameters) in a couple of normal scenarios - including rekay of IPsec SA.

The problem you're describing could be triggered after a couple of rekeys (for example).

What platform are you dealing with?

patrikdellhem · ‎08-18-2015

Thanks for your reply.

SAs that separate encaps and decaps can't be normal?

"What platform are you dealing with?"
- Do you mean the vendor on the other side? I'm not sure, but I'll check that out.

Marcin Latosiewicz · ‎08-19-2015

Once you have new IPsec SA there's no good reason not to start using the new ones, but should remote end still use old SPIs you can still decrypt using old SAs (until it's deleted).

I meant local and remote vendor/platform ;]

In general I'd say someone needs to have a look at debug and outputs on Cisco IOS it would be:

(debug crypto condition ipv[4|6] ...)

- debug crypto isa

- debug crypto ipsec

- debug crypko kmi

Santhosh PS · ‎08-22-2017

i have the same problem in my environment, with respective to model ASR 1K and 39K model routers