Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
611
Views
5
Helpful
10
Replies

IPsec pkts no sa (send)

Go to solution
Ab26
Level 1
Level 1

‎01-23-2025 03:31 PM - edited ‎01-26-2025 06:53 AM

I have set up an IPsec VPN tunnel. It worked fine at the beginning but then all of sudden the traffic stopped passing the tunnel, although the tunnel is still up.

When I do show crypto ipsec sa peer X.X.X.X detail I can see "pkts no sa (send) 65"

------

local ident (addr/mask/prot/port): (X.X.X.X/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (X.X.X.X/255.255.255.240/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2014, #pkts encrypt: 2014, #pkts digest: 2014
#pkts decaps: 4028, #pkts decrypt: 4028, #pkts verify: 4028
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#pkts no sa (send) 67, #pkts invalid sa (rcv) 0
#pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
#pkts invalid prot (recv) 0, #pkts verify failed: 0
#pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
#pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
##pkts replay failed (rcv): 0
#pkts tagged (send): 0, #pkts untagged (rcv): 0
#pkts not tagged (send): 0, #pkts not untagged (rcv): 0
#pkts internal err (send): 0, #pkts internal err (recv) 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 9134, path mtu 9216, ip mtu 9216, ip mtu idb Interface_X
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

Labels:
Preview file
786 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ab26
Level 1
Level 1

‎02-14-2025 11:34 AM

Problem was from the remote VPN peer router (not accessible by me).
Apparently, in some products other than Cisco, Phase-2 is configured separately for each traffic-selector.
I.e you could have a correct config in one traffic-selector and wrong in other one.

@ccieexpert @MHM Cisco World thanks a lot for helping!

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Flavio Miranda
VIP
VIP

‎01-23-2025 04:12 PM

@Ab26 

 show crypto ipsec sa will not show if the tunnel is really UP. 

Issue the command  'show crypto isakmp sa'

0 Helpful

Go to solution
Ab26
Level 1
Level 1
In response to Flavio Miranda

‎01-23-2025 04:45 PM

It's IKEv2 not version 1

router#sh crypto ikev2 session detailed
Tunnel-id Local Remote fvrf/ivrf Status
72 Local_Peer_IP/500 Remote_Peer_IP/500 frontdoor/VRF-X READY
Encr: AES-CBC, keysize: 256, PRF: SHA256, Hash: SHA256, DH Grp:16, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 900/829 sec
CE id: 68714, Session-id: 35038
Status Description: Negotiation done
Local spi: 9BB7EC2AFDDFAEB8 Remote spi: 62573E0F00F46F8F
Local id: Local_Peer_IP
Remote id: Remote_Peer_IP
Local req msg id: 44 Remote req msg id: 2
Local next msg id: 44 Remote next msg id: 2
Local req queued: 44 Remote req queued: 2
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Dynamic Route Update: disabled
Extended Authentication not configured.
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No
Child sa: local selector X.X.X.X/0 - X.X.X.X/65535
remote selector X.X.X.X/0 - X.X.X.X/65535
ESP spi in/out: 0x8FDF7A67/0x8AD5C07A
AH spi in/out: 0x0/0x0
CPI in/out: 0x0/0x0
Encr: AES-CBC, keysize: 256, esp_hmac: SHA512
ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

Session-id:255, Status:UP-ACTIVE, IKE count:1, CHILD count:1

-------------------------------------------------------
-------------------------------------------------------
The SA (selector selector) that stopped is not shown. I don't why

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Ab26

‎01-23-2025 09:27 PM

Initiator of SA : No <<- becuase your FW/ router is not initiator.

In remote peer config ip-sla or froce your device to be initiator not responder 

MHM

Go to solution
Ab26
Level 1
Level 1
In response to MHM Cisco World

‎01-23-2025 11:32 PM

Thanks @MHM Cisco World !

Unfortunately, I don't have access to the remote peer. How can I make my peer the initiator? I have an IP SLA from my side that pings an IP at other other peer destination. This is a policy-based VPN with couple of traffic selectors (ACLs). The one I'm using for IP SLA stopped working and don't have SA anymore It's the one that I post with pkts no sa (send) 67

Any suggestions?

Go to solution
MHM Cisco World
VIP
VIP
In response to Ab26

‎01-23-2025 11:37 PM

Try clear crypto peer x.x.x.x in window and check

Initiator of SA : <<-  this must be Yes

In normal case when lift time end of sa both peer start nego new SA 

Lifetime I see it set to 900, so check remote peer is it use same lifetime or not. 

MHM

Go to solution
ccieexpert
VIP
VIP
In response to Ab26

‎01-24-2025 12:16 AM - edited ‎01-24-2025 12:17 AM

I assume this a static crypto map ?  can you provide a config snip ? if it is a static crypto map then either side can be initiator.

also once IKEv2 sa is established, either side should be able to establish a child SA (new selectors)..

does it recover on its own after some time ?

Run this command to clear existing session

clear crypto session peer a.b.c.d

If you still have issues run the following debugs as shown in the link

https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/115934-technote-ikev2-00.html

if you have many ipsec peers, then you can do a conditional debug for just one peer.

Also, if you run "ip sla" from your side, that should keep the tunnel up and rekey... i dont think you need to but if it real is an issue.. we need debugs to see why it fails over time... maybe you can explain if comes and goes down ? on how often the problem happens ?

Go to solution
Ab26
Level 1
Level 1

‎01-26-2025 04:52 AM

I've just uploaded the debug output in case someone can look at it and see if it indicate the cause of the problem

0 Helpful

Go to solution
ccieexpert
VIP
VIP
In response to Ab26

‎01-26-2025 11:40 AM

you didnt tell us what is the peer or what is the interesting traffic in the ACL:) that would have helped us.. but going through a large debug file, there is a pattern.

  1. Repeated CREATE_CHILD_SA Exchange Failures
  • Consistent pattern of "NO_PROPOSAL_CHOSEN" errors from other side
  • Multiple attempts to create IPSec Security Associations (SAs) are failing
  • The peer is explicitly rejecting the proposed security parameters

You should check the phase 2 proposal and traffic selectors exactly match up with peer... It is possible when remote peer initiated it might work, because the traffic selectors may be a subset on one side... Please double check that and make sure they match up exactly.. you may want to give us the config snips from both sides (atleast via private message) to review..

 

Go to solution
Ab26
Level 1
Level 1

‎02-14-2025 11:34 AM

Problem was from the remote VPN peer router (not accessible by me).
Apparently, in some products other than Cisco, Phase-2 is configured separately for each traffic-selector.
I.e you could have a correct config in one traffic-selector and wrong in other one.

@ccieexpert @MHM Cisco World thanks a lot for helping!

0 Helpful

Go to solution
ccieexpert
VIP
VIP
In response to Ab26

‎02-14-2025 07:36 PM

that is correct. phase2 especially crypto ACL can be configured diferrently so it could be a subset or superset and that can cause issues in neogitation... some devices will tear down IKE/ipsec completely after such a failure in 1 p2 sa... debugs are your friend to see what is going on..

in my last message , i had mentioned clearly:

You should check the phase 2 proposal and traffic selectors exactly match up with peer..  so essentially that was the problem

0 Helpful
Customers Also Viewed These Support Documents