Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5951
Views
0
Helpful
1
Replies

Understanding output of sh crypto ipsec sa peer

yuchenglai
Level 1
Level 1

‎09-18-2011 10:24 AM - edited ‎02-21-2020 05:35 PM

Hi All,

I a bit puzzled by why the remote indent and remote crypto endpointpt ID is different.  I also noticed that the remote ident address matches the remote NBMA address, but just not the remote crypto endpt address.  I really expected the remote crypto endpt address to be the same as the remote indent address and remote NBMA address (remote tunnel source address).  Tunnel1 is an mGRE tunnel protected by IPSec.

Could anyone shed light on this?

Thanks,

David

Router#sh crypto ipsec sa peer 1.1.1.1

interface: Tunnel1

    Crypto map tag: Tunnel1-head-0, local addr 2.2.2.2

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (2.2.2.2/255.255.255.255/47/0)

   remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/47/0)

   current_peer 1.1.1.1 port 4500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 7978837, #pkts encrypt: 7978837, #pkts digest: 7978837

    #pkts decaps: 7286115, #pkts decrypt: 7286115, #pkts verify: 7286115

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 14644

     local crypto endpt.: 2.2.2.2, remote crypto endpt.: 1.1.1.1

     path mtu 1514, ip mtu 1514, ip mtu idb Loopback2

     current outbound spi: 0xB96E4FB1(3111014321)

     inbound esp sas:

      spi: 0xB1D02649(2983208521)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 3002, flow_id: Onboard VPN:2, crypto map: Tunnel1-head-0

        sa timing: remaining key lifetime (k/sec): (4501742/22874)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0xB96E4FB1(3111014321)

        transform: esp-256-aes esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 3001, flow_id: Onboard VPN:1, crypto map: Tunnel1-head-0

        sa timing: remaining key lifetime (k/sec): (4445656/22873)

        IV size: 16 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Dan Frey
Cisco Employee
Cisco Employee

‎09-21-2011 10:29 AM

The output suggests you have NAT-T in the network and IPSEC tunnel mode turned on.  If the transform-set is set to transport mode, clear the crypto sessions then remote ident and crypto endpoint will be the same address.

HTH,

Dan

0 Helpful
Customers Also Viewed These Support Documents