01-02-2024 06:13 AM - edited 01-02-2024 06:39 AM
Hello, I'm experiencing disconnections on my IPsec VPN, probably due to a double initiation of Phase 2. Here is an excerpt from the 'show crypto ipsec sa' command.
interface: GigabitEthernet0/0/1
Crypto map tag: VPNMAP, local addr X.X.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
current_peer x.X.X.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
interface: Tunnel61
Crypto map tag: Tunnel61-head-0, local addr X.X.X.X
protected vrf: (none)
local ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={}
#pkts encaps: 1522, #pkts encrypt: 1522, #pkts digest: 1522
#pkts decaps: 1768, #pkts decrypt: 1768, #pkts verify: 1768
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x6AC9659E(1791583646)
PFS (Y/N): Y, DH group: group5
inbound esp sas:
spi: 0xA65BBC56(2791029846)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9297, flow_id: ESG:7297, sibling_flags FFFFFFFF80000048, crypto map: Tunnel61-head-0
sa timing: remaining key lifetime (k/sec): (4606650/3539)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6AC9659E(1791583646)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9298, flow_id: ESG:7298, sibling_flags FFFFFFFF80000048, crypto map: Tunnel61-head-0
sa timing: remaining key lifetime (k/sec): (4607879/3539)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: X.X.X.X, remote crypto endpt.: XX.X.X.X
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Can You please help me and tell me where is the problem ?
Thankyou
01-08-2024 04:40 AM
Tunnel interface make proxy 0.0.0.0
Note:- when you decide to remove one you must consider other peer' the ipsec must be match
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide