Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- Technology and Support
- Security
- VPN
- Interpretation of show crypto ipsec sa peer x.x.x.x platform command, Ipsec flapping
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
2373
Views
0
Helpful
0
Replies
Interpretation of show crypto ipsec sa peer x.x.x.x platform command, Ipsec flapping
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-22-2017 01:37 AM - edited 03-12-2019 04:45 AM
Hi guys how are you? Hope fine. I'm struggling a little bit with some IPsec tunnels that we have. The problem is the one that follows: We have a set of 300 devices more or less that connect to an ASR10002 via IPsec tunnels (devices are One Access routers, it is not a Cisco only environment). Tunnel concentrator characteristics below:
cisco ASR1002-X (2RU-X) processor (revision 2KP) with 3751430K/6147K bytes of memory. 6 Gigabit Ethernet interfaces 32768K bytes of non-volatile configuration memory. 8388608K bytes of physical memory. 6684671K bytes of eUSB flash at bootflash:.
Thing is that we are experiencing IPsec tunnel flapping like 7 or 8 times during the day. I came across the command in the title a day ago and I could see the following output (ips are hidden for security purposes):
CVPN1.DC1#show crypto ipsec sa peer X.X.X.X platform
interface: Virtual-Access265
Crypto map tag: Virtual-AccessXXX-head-0, local addr 84.246.218.7
protected vrf: 085087
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer X.X.X.X port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 512454, #pkts encrypt: 512454, #pkts digest: 512454
#pkts decaps: 568985, #pkts decrypt: 568985, #pkts verify: 568985
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 84.246.218.7, remote crypto endpt.: 37.70.175.166
plaintext mtu 1406, path mtu 1476, ip mtu 1476, ip mtu idb GigabitEthernet0/0/0
current outbound spi: 0xC83D42A1(3359457953)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x95979B26(2509740838)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 36715, flow_id: HW:34715, sibling_flags FFFFFFFF80000048, crypto map: Virtual-AccessXXX-head-0
sa timing: remaining key lifetime (k/sec): (4228950/1961)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC83D42A1(3359457953)
transform: esp-256-aes esp-sha256-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 36716, flow_id: HW:34716, sibling_flags FFFFFFFF80000048, crypto map: Virtual-AccessXXX-head-0
sa timing: remaining key lifetime (k/sec): (4429035/1961)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
------------------ show platform software ipsec fp active flow identifier 34715 ------------------
=========== Flow id: 34715
mode: tunnel
direction: inbound
protocol: esp
SPI: 0x95979b26
local IP addr: X.X.X.X
remote IP addr: X.X.X.X
crypto device id: 0
crypto map id: 35244
SPD id: 4186
QFP SPD id: 1032
ACE line number: 1
QFP SA handle: 1297
IOS XE interface id: 5619
interface name: Virtual-AccessXXX
Crypto SA ctx id: 0x000000002d804bc4
cipher: AES-256
auth: SHA256
initial seq.number: 0
timeout, mins: 0
flags: exp time;exp traffic;NAT-T;
Time limits
soft limit(sec): 3407
hard limit(sec): 3467
Traffic limits
soft limit(kb): 4008960
hard limit(kb): 4608000
-- NAT-T
local UDP port: 4500
remote UDP port: 4500
inline_tagging: DISABLED
anti-replay window: 64
SPI Selector:
remote addr low: 0.0.0.0
remote addr high: 0.0.0.0
local addr low: X.X.X.X
local addr high: X.X.X.X
Classifier: range
src IP addr low: 0.0.0.0
src IP addr high: 255.255.255.255
dst IP addr low: 0.0.0.0
dst IP addr high: 255.255.255.255
src port low: 0
src port high: 65535
dst port low: 0
dst port high: 65535
protocol low: 0
protocol high: 255
------------- Statistics
octets(delta): 0
total octets(delta): 4330445287
packets(delta): 0
dropped packets(delta): 0
replay drops(delta): 0
auth packets(delta): 0
auth fails(delta): 0
encrypted packets(delta): 0
encrypt fails(delta): 0
---------- End statistics
object state: active
--------------- AOM
cpp aom id: 33820417
cgm aom id: 0
n2 aom id: 33820414
if aom id: 0
------------------ show platform hardware qfp active feature ipsec sa 1297 ------------------
QFP ipsec sa Information
QFP sa id: 1297
pal sa id: 34715
QFP spd id: 1032
QFP sp id: 1292
QFP spi: 0x95979b26(2147483647)
crypto ctx: 0x000000002d804bc4
flags: 0xcc00800 (Details below)
: src:IKE valid:True soft-life-expired:False hard-life-expired:False
: replay-check:True proto:0 mode:3 direction:0
: qos_preclassify:False qos_group:False
: frag_type:BEFORE_ENCRYPT df_bit_type:COPY
: sar_enable:False getvpn_mode:SNDRCV_SA
: doing_translation:False assigned_outside_rport:False
: inline_tagging_enabled:False
qos_group: 0x0
mtu: 0x0=0
mtu_adj: 0x0=0
sar_delta: 0
sar_window: 0x0
sibling_sa: 0x0
sp_ptr: 0x4935a540
sbs_ptr: 0x52c0ebc0
local endpoint: X.X.X.X/32
remote endpoint: X.X.X.X/32
cgid.cid.fid.rid: 0.0.0.0
ivrf: 2403
fvrf: 2403
trans udp sport: 0
trans udp dport: 0
first intf name: Virtual-AccessXXX
Statistics:
pkts: 570
bytes: 0x564e8
pkt internal err: 0
pkt soft expiry: 0
pkt hard expiry: 0
pkt replay dropped: 0
seq number: 0x0
pkt policy failed: 0
pkt authen failed: 0
crypto failed: 0
pkt decap encap: 570
bytes decap encap: 0x4bfb2
pkt dropped after crypto: 0
no attempt dropped: 0
------------------ show platform software ipsec fp active encryption-processor 0 context 2d804bc4 ------------------
======= Context id: 0x004bc4
ULAM: 0x000005
LBM: 0x000016
max context length: 32
fetch size: 20
SA push size: 15
SA word 0: 0x000000fc949b23
action bits: 0x001f92
direction: inbound
mode: tunnel
protocol: esp
authentication: SHA-256
confidentiality: AES-256
outer header: IPv4
inner header: IPv4
udp encap: true
Anti-replay enabled: true
Anti-replay parameters:
window size: 64
window base(ESN): 569185
traffic hard limit: 4325717712
traffic soft limit: 3712300752
byte count: 388313097
packet count: 569163
------------------ show platform software ipsec fp active flow identifier 34716 ------------------
=========== Flow id: 34716
mode: tunnel
direction: outbound
protocol: esp
SPI: 0xc83d42a1
local IP addr: X.X.X.X
remote IP addr: X.X.X.X
crypto device id: 0
crypto map id: 35244
SPD id: 4186
QFP SPD id: 1032
ACE line number: 1
QFP SA handle: 1301
IOS XE interface id: 5619
interface name: Virtual-AccessXXX
use path MTU: 1476
Crypto SA ctx id: 0x000000002d404bc3
cipher: AES-256
auth: SHA256
initial seq.number: 0
timeout, mins: 0
flags: exp time;exp traffic;NAT-T;
Time limits
soft limit(sec): 3407
hard limit(sec): 3467
Traffic limits
soft limit(kb): 4008960
hard limit(kb): 4608000
-- NAT-T
local UDP port: 4500
remote UDP port: 4500
inline_tagging: DISABLED
Classifier: range
src IP addr low: 0.0.0.0
src IP addr high: 255.255.255.255
dst IP addr low: 0.0.0.0
dst IP addr high: 255.255.255.255
src port low: 0
src port high: 65535
dst port low: 0
dst port high: 65535
protocol low: 0
protocol high: 255
------------- Statistics
octets(delta): 0
total octets(delta): 4535332500
packets(delta): 0
dropped packets(delta): 0
replay drops(delta): 0
auth packets(delta): 0
auth fails(delta): 0
encrypted packets(delta): 0
encrypt fails(delta): 0
---------- End statistics
object state: active
object bind state: active
--------------- AOM
cpp aom id: 33820422
cgm aom id: 33820421
n2 aom id: 33820418
if aom id: 0
------------------ show platform hardware qfp active feature ipsec sa 1301 ------------------
QFP ipsec sa Information
QFP sa id: 1301
pal sa id: 34716
QFP spd id: 1032
QFP sp id: 1292
QFP spi: 0xc83d42a1(2147483647)
crypto ctx: 0x000000002d404bc3
flags: 0x4e40000 (Details below)
: src:IKE valid:True soft-life-expired:False hard-life-expired:False
: replay-check:False proto:0 mode:3 direction:1
: qos_preclassify:False qos_group:False
: frag_type:AFTER_ENCRYPT df_bit_type:COPY
: sar_enable:False getvpn_mode:SNDRCV_SA
: doing_translation:False assigned_outside_rport:False
: inline_tagging_enabled:False
qos_group: 0x0
mtu: 0x57e=1406
mtu_adj: 0x568=1384
sar_delta: 0
sar_window: 0x0
sibling_sa: 0x0
sp_ptr: 0x4935a540
sbs_ptr: 0x52b7f3c0
local endpoint: X.X.X.X/32
remote endpoint: X.X.X.X/32
cgid.cid.fid.rid: 4186.35244.35244.2275147777
ivrf: 2403
fvrf: 2403
trans udp sport: 0
trans udp dport: 0
first intf name: Virtual-AccessXXX
Statistics:
pkts: 638
bytes: 0xc65d
pkt internal err: 0
pkt soft expiry: 0
pkt hard expiry: 0
pkt replay dropped: 0
seq number: 0x0
pkt policy failed: 0
pkt authen failed: 0
crypto failed: 0
pkt decap encap: 638
bytes decap encap: 0x18058
pkt dropped after crypto: 0
no attempt dropped: 0
------------------ show platform software ipsec fp active encryption-processor 0 context 2d404bc3 ------------------
======= Context id: 0x004bc3
ULAM: 0x000005
LBM: 0x000015
max context length: 32
fetch size: 22
SA push size: 17
SA word 0: 0x57e04e0fd249b21
action bits: 0x001fa4
direction: outbound
mode: tunnel
protocol: esp
authentication: SHA-256
confidentiality: AES-256
outer header: IPv4
inner header: IPv4
udp encap: true
mfs: 1406
seq number reuse: false
sequence number: 512735
traffic hard limit: 4532515374
traffic soft limit: 3919098414
byte count: 183279251
packet count: 512735
If you at the last lines I think there's a problem with ipsec traffic limit (lines in red). It seems we are reaching the limits there and the tunnel is coming down. Thing is that I'm not sure about that and I can't find any doc regarding that command and the meaning of its output. So I have the following questions...
1 - Can anyone confirm my thoughts? Did anyone treat a problem like this one before?
2 - Does anyone have sites, docs or any source where I can check the meaning of the output I've sent?
3 - If tunnel traffic reaches the limit (if there's a limit configured) does the concentrator bring the tunnel down and traffic and connections are lost or does it bring another tunnel up seamlessly without interrupting the service?
Any information regarding this will be apreciated. Thanks in advance for your help guys.
Regards,
Luis
Labels:
- Labels:
-
Other VPN Topics
0 Replies 0
Learn, share, save
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Customers Also Viewed These Support Documents