Following the many samples to be found online for setting up Site-to-Site ISAKMP-IPSEC over VTI I can perform a show crypto ipsec sa and get the output below. My question is why the second unused entry appears for the local/remote idents 0.0.0.0 ? I do not see this in the sample outputs of any online samples. And up until yesterday this tunnel was flapping every 60 seconds I think in due to this strange message that I cannot find reference ANYWHERE online:
*May 4 14:54:58.447: [ACL automatic]: message = ACL for always up maps
*May 4 14:54:58.447: [ACL automatic] -> [ACL automatic]: delayed (60000 msec) message ACL for always up maps
interface: Tunnel17
Crypto map tag: Tunnel17-head-0, local addr xx.xx.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (10.10.15.0/255.255.248.0/0/0)
current_peer yy.yy.yy.yy port 500
PERMIT, flags={}
#pkts encaps: 4500, #pkts encrypt: 4500, #pkts digest: 4500
#pkts decaps: 4405, #pkts decrypt: 4405, #pkts verify: 4405
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: yy.yy.yy.yy
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x28126767(672294759)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xBC2DDBE7(3157122023)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2451, flow_id: Onboard VPN:451, sibling_flags 80000040, crypto map: Tunnel17-head-0
sa timing: remaining key lifetime (k/sec): (4178381/26507)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x28126767(672294759)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2452, flow_id: Onboard VPN:452, sibling_flags 80000040, crypto map: Tunnel17-head-0
sa timing: remaining key lifetime (k/sec): (4180761/26507)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer yy.yy.yy.yy port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xx.xx.xx.xx, remote crypto endpt.: yy.yy.yy.yy
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas: