Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
707
Views
0
Helpful
4
Replies

Show Crypto SA

IAIN HILL
Level 1
Level 1

‎09-15-2005 07:11 AM

I have what appears to be a strange IP address in the output from the show crypto sa command. It appears to give the remote peer an IP address which has no bearing on the real ip address on the far end or anything I have configured. So I guess my question is does the peers address have to be the far ends IP address or am I looking at something like a router ID which just looks like an IP address?

Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎09-15-2005 09:42 AM

Iain

When I do a show crypto ipsec sa the things in the output that look like IP addresses are in fact IP addresses. I do not see anything like router IDs in my output. It might be easier to give you a good answer if you could post the output that you are talking about.

HTH

Rick

HTH

Rick
0 Helpful

IAIN HILL
Level 1
Level 1
In response to Richard Burts

‎09-15-2005 11:24 AM

The out put looks like this: local ident (addr/mask/prot/port): (192.168.202.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (192.168.199.0/255.255.255.0/0/0)

current_peer: 81.168.68.250:0

The current_peer address is not one I know about, its not the far end or the peer I have configured for the VPN session. The issue shows itself by not allowing the VPN to initiate from the central site towards the remote one but works fine once the tunnel has come up by contacting back from the remote site to the central one.

When the tunnel is up the peer is still showing as the strange address on the central one but the remote firewall shows all the correct details.

This is why I wanted to check if the current peer detail is actually the IP address of the remote end.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to IAIN HILL

‎09-16-2005 06:15 AM

Iain

On my routers the show crypto ipsec sa shows the same ip address on the remote ident line as on the current_peer line. Yours shows different addresses. And I think that indicates a problem. Which I believe is confirmed if the central can not initiate session to remote but remote can initiate to central.

I am guessing that the remote ident line may represent what you have configured on your router as the peer address. And I am guessing (though I do not know for sure) that the current_peer represents the source ip address of packets being received.

I am wondering if perhaps the 81.168.68.250 address might be another interface on the router that you are connected to. Or perhaps if the address has been through address translation somewhere. Could you try to do a traceroute to 81.168.68.250 and a traceroute to 192.168.199.0 and see if the path through the network is similar?

HTH

Rick

HTH

Rick
0 Helpful

jackko
Level 7
Level 7
In response to IAIN HILL

‎09-16-2005 08:01 AM

the current_peer: is the actual public ip of the remote device, which is the remote vpn termination point.

81.168.68.250 is not a pre-configured peer. how about remote vpn client software?

0 Helpful
Customers Also Viewed These Support Documents