Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
515
Views
0
Helpful
0
Replies

IPSec for idents 0.0.0.0 ?

hrmilo
Level 1
Level 1

‎05-04-2018 08:23 AM - edited ‎03-12-2019 05:15 AM

Following the many samples to be found online for setting up Site-to-Site ISAKMP-IPSEC over VTI I can perform a show crypto ipsec sa and get the output below. My question is why the second unused entry appears for the local/remote idents 0.0.0.0 ?   I do not see this in the sample outputs of any online samples. And up until yesterday this tunnel was flapping every 60 seconds I think in due to this strange message that I cannot find reference ANYWHERE online:

*May  4 14:54:58.447: [ACL automatic]: message = ACL for always up maps
*May  4 14:54:58.447: [ACL automatic] -> [ACL automatic]: delayed (60000 msec) message ACL for always up maps

 

interface: Tunnel17
    Crypto map tag: Tunnel17-head-0, local addr xx.xx.xx.xx

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.10.15.0/255.255.248.0/0/0)
   current_peer yy.yy.yy.yy port 500
     PERMIT, flags={}
    #pkts encaps: 4500, #pkts encrypt: 4500, #pkts digest: 4500
    #pkts decaps: 4405, #pkts decrypt: 4405, #pkts verify: 4405
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: yy.yy.yy.yy
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x28126767(672294759)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xBC2DDBE7(3157122023)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2451, flow_id: Onboard VPN:451, sibling_flags 80000040, crypto map: Tunnel17-head-0
        sa timing: remaining key lifetime (k/sec): (4178381/26507)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x28126767(672294759)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2452, flow_id: Onboard VPN:452, sibling_flags 80000040, crypto map: Tunnel17-head-0
        sa timing: remaining key lifetime (k/sec): (4180761/26507)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer yy.yy.yy.yy port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: yy.yy.yy.yy
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents