02-02-2023 09:28 AM
Hi
What is the problem when all the ikev2 vpns are showing lots of #pkts invalid len (rcv) with sh crypto ipsec sa detail?
Crypto map tag: peerX, seq num: 100, local addr: 213.221.227.114
access-list S2S_VPN_JOKER_IT_AZURE extended permit ip 10.127.128.0 255.255.128.0 10.150.0.0 255.255.0.0
local ident (addr/mask/prot/port): (10.127.128.0/255.255.128.0/0/0)
remote ident (addr/mask/prot/port): (10.150.0.0/255.255.0.0/0/0)
current_peer: 20.203.173.193
#pkts encaps: 2134673, #pkts encrypt: 1484248, #pkts digest: 1484248
#pkts decaps: 3299401, #pkts decrypt: 2297239, #pkts verify: 2297239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 2134673, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#pkts no sa (send): 0, #pkts invalid sa (rcv): 0
#pkts encaps failed (send): 0, #pkts decaps failed (rcv): 0
#pkts invalid prot (rcv): 0, #pkts verify failed: 0
#pkts invalid identity (rcv): 0, #pkts invalid len (rcv): 483402912
#pkts invalid pad (rcv): 0,
#pkts invalid ip version (send): 0, #pkts invalid ip version (rcv): 0
#pkts invalid len (send): 0, #pkts invalid len (rcv): 0
#pkts invalid ctx (send): 0, #pkts invalid ctx (rcv): 0
#pkts invalid ifc (send): 0, #pkts invalid ifc (rcv): 0
#pkts failed (send): 0, #pkts failed (rcv): 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv): 0
#pkts replay failed (rcv): 0
#pkts min mtu frag failed (send): 0, #pkts bad frag offset (rcv): 0
#pkts internal err (send): 0, #pkts internal err (rcv): 0
local crypto endpt.: 213.221.227.114/500, remote crypto endpt.: 20.203.173.193/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 257B4FE2
current inbound spi : 4617952F
inbound esp sas:
spi: 0x4617952F (1175950639)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 332, crypto-map: peerX
sa timing: remaining key lifetime (kB/sec): (91135452/1141)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x257B4FE2 (628838370)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 332, crypto-map: peerX
sa timing: remaining key lifetime (kB/sec): (94207624/1141)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Regards
Peter
02-02-2023 09:41 AM - edited 02-02-2023 10:42 AM
crypto ipsec df-bit [clear | set | copy] <<- try add this command and check the count
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dplane/configuration/zZ-Archive/DF_Bit_Override_Functionality_with_IPsec_Tunnels.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide