11-07-2017 12:55 PM - edited 03-12-2019 04:43 AM
we have 2 tunnels setup between the customer and us. we are trying to have a GRE-IPsec tunnel between us (Primary & Secondary) we have the tunnels up and active when I do a "sh crypto session", "sh crypto isakmp sa"shows no errors.
In the show crypto session" command output the no.of Active SAs: keeps on increasing every few seconds or minutes. I tried to clear crypto sa, also used the spi-recovery command but it did not help. Please can you share some insight on why this is happening and how do we troubleshoot it ? Thanks!
11-07-2017 08:35 PM
11-08-2017 08:06 AM
Both the IP's on my side are Loopbacks (192.168.50.1 & 192.168.50.5)
I ran both the debugs got the following errors:
sh crypto session
Interface: Tunnel12
Profile: S1-ISAKMP
Session status: UP-ACTIVE
Peer: 192.168.10.1 port 500
Session ID: 0
IKEv1 SA: local 192.168.50.1/500 remote 192.168.10.1/500 Active
IPSEC FLOW: permit 47 host 192.168.50.1 host 192.168.10.1
Active SAs: 10, origin: crypto map
Interface: Tunnel13
Profile: S1-ISAKMP
Session status: UP-ACTIVE
Peer: 192.168.20.1 port 500
Session ID: 0
IKEv1 SA: local 192.168.50.5/500 remote 192.168.20.1/500 Active
IPSEC FLOW: permit 47 host 192.168.50.5 host 192.168.20.1
Active SAs: 8, origin: crypto map
sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
192.168.10.1 192.168.50.1 QM_IDLE 151063 ACTIVE S1-ISAKMP
192.168.20.1 192.168.50.5 QM_IDLE 151064 ACTIVE S1-ISAKMP
config:
crypto keyring S1
pre-shared-key address 192.168.10.1 key happy-eddie
crypto isakmp key spoAZIu address 192.168.10.1
crypto isakmp key spoAZIu address 192.168.20.1
crypto isakmp policy 100
encr aes 256
authentication pre-share
group 5
crypto isakmp profile S1-ISAKMP
keyring S1
match identity address 192.168.10.1 255.255.255.255
match identity address 192.168.20.1 255.255.255.255
crypto ipsec transform-set S1-TSET esp-aes 256 esp-sha-hmac
mode transport
crypto ipsec profile S1-IPSEC
set transform-set S1-TSET
set isakmp-profile S1-ISAKMP
interface Tunnelxx
ip vrf forwarding sort
ip address <ip add of the tunnel> <subnet mask>
ip tcp adjust-mss 1360
tunnel source <ip add>
tunnel destination <ip add>
tunnel protection ipsec profile S1-IPSEC
crypto engine slot 3/0 inside
Thank you for your response let me know incase of additional information required.
11-08-2017 04:04 PM
11-15-2017 10:37 AM
Hi Francesco,
I am really sorry to reply this late, we debugged a few things on our device which is cisco 7609, and found out that the interface for the outgoing traffic did not have the encryption module enabled on it. We enabled it on the interface and then it is working fine now with 2 Active SA's. I am not sure whether this was the root issue or this is the solution for the problem, but it did solve the issue in our case.
Also the missing one end router (was for the customer so I could not get that) and for the password Only keyring is used (noted this ) and aligned the required password .Thanks for the help Franscesco.
11-15-2017 07:03 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide