08-18-2015 04:53 AM
Hi.
I've seen a strange error occur multiple times the past week, but I can't figure out why this happens.
The customer reports a VPN as down. With "sh ipsec sa peer" I see the tunnel as up and there are encaps, but no decaps. If I scroll down there's a second identical tunnel, with decaps, but no encaps. A simple "clear ipsec sa peer" fixes the issue, but I'm trying to figure out the root cause.
Does anyone have a clue of why this happens?
08-18-2015 05:41 AM
To be honest it could be a number of things.
You can see multiple SAs (with same parameters) in a couple of normal scenarios - including rekay of IPsec SA.
The problem you're describing could be triggered after a couple of rekeys (for example).
What platform are you dealing with?
08-18-2015 05:57 AM
Thanks for your reply.
SAs that separate encaps and decaps can't be normal?
"What platform are you dealing with?"
- Do you mean the vendor on the other side? I'm not sure, but I'll check that out.
08-19-2015 08:51 AM
Once you have new IPsec SA there's no good reason not to start using the new ones, but should remote end still use old SPIs you can still decrypt using old SAs (until it's deleted).
I meant local and remote vendor/platform ;]
In general I'd say someone needs to have a look at debug and outputs on Cisco IOS it would be:
(debug crypto condition ipv[4|6] ...)
- debug crypto isa
- debug crypto ipsec
- debug crypko kmi
08-22-2017 11:09 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide