Re: Problem with 2 times phase 2 Ipsec - Page 2

darkmen11 · ‎01-02-2024

Hello, I'm experiencing disconnections on my IPsec VPN, probably due to a double initiation of Phase 2. Here is an excerpt from the 'show crypto ipsec sa' command.

interface: GigabitEthernet0/0/1
Crypto map tag: VPNMAP, local addr X.X.X.X

protected vrf: (none)
local ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
current_peer x.X.X.x port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

interface: Tunnel61
Crypto map tag: Tunnel61-head-0, local addr X.X.X.X

protected vrf: (none)
local ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (X.X.X.X/255.255.255.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={}
#pkts encaps: 1522, #pkts encrypt: 1522, #pkts digest: 1522
#pkts decaps: 1768, #pkts decrypt: 1768, #pkts verify: 1768
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: X.X.X.X
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x6AC9659E(1791583646)
PFS (Y/N): Y, DH group: group5

inbound esp sas:
spi: 0xA65BBC56(2791029846)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9297, flow_id: ESG:7297, sibling_flags FFFFFFFF80000048, crypto map: Tunnel61-head-0
sa timing: remaining key lifetime (k/sec): (4606650/3539)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x6AC9659E(1791583646)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 9298, flow_id: ESG:7298, sibling_flags FFFFFFFF80000048, crypto map: Tunnel61-head-0
sa timing: remaining key lifetime (k/sec): (4607879/3539)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer X.X.X.X port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: XX.X.X.X
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

Can You please help me and tell me where is the problem ?

Thankyou

MHM Cisco World · ‎01-08-2024

Tunnel interface make proxy 0.0.0.0

Note:- when you decide to remove one you must consider other peer' the ipsec must be match

MHM