Re: VPN tunnel (session status) - Page 2

lakhwaraa · ‎10-04-2022

I have configured crypto isakmp and nhrp tunnel for my branch and main office. which command should i use to make session active in all state like following example.

HAVE THIS

Interface: Tunnel2
Session status: DOWN-NEGOTIATING
Peer: 101.244.32.1 port 500
IKE SA: local 192.168.8.254/500 remote 101.244.32.1/500 Inactive
IKE SA: local 192.168.8.254/500 remote 101.244.32.1/500 Inactive
IPSEC FLOW: permit 47 host 192.168.8.254 host 101.244.32.1
Active SAs: 0, origin: crypto map

NEED THIS

Interface: Tunnel2
Session status: UP-ACTIVE (THIS IS ALWASY ACTIVE EVEN WHEN NOT USING THIS TUNNEL)
Peer: 101.244.32.1 port 4500
IKEv1 SA: local 192.168.8.250/4500 remote 101.244.32.1/4500 Active
IPSEC FLOW: permit 47 host 192.168.8.250 host 101.244.32.1
Active SAs: 2, origin: crypto map

my conf is as below

crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key M@ster address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set CR-TS-MAS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile CR-PR-MAS
set transform-set CR-TS-MAS
!

interface Tunnel2
ip address 10.2.1.57 255.255.255.0
no ip redirects
ip mtu 1390
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 eigrp_keys
ip hold-time eigrp 10 60
ip nhrp authentication deast
ip nhrp map multicast dynamic
ip nhrp map 10.2.1.254 101.244.32.1
ip nhrp map multicast 101.244.32.1
ip nhrp map 10.2.1.12 101.244.32.6
ip nhrp map multicast 101.244.32.6
ip nhrp network-id 2
ip nhrp holdtime 600
ip nhrp nhs 10.2.1.12
ip nhrp nhs 10.2.1.254
ip nhrp registration no-unique
zone-member security vpn
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 121
tunnel protection ipsec profile CR-PR-MAS shared

WHAT CHANGES SHOULD I DO IN CONFIGURATION TO MAKE TUNNEL ALWAYS ACTIVE.

PLEASE NOTE: CONFIGURATION OF BOTH EXAMPLES ARE SAME BUT I DONT KNOW HOW ONE TUNNEL IS ALWAYS ACTIVE AND OTHER IS NEGOTIATING.

MHM Cisco World · ‎10-14-2022

# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 101.244.32.6 10.2.2.12 IKE 02:47:04 S <<- finally we get something here, this must be UP
1 101.244.32.1 10.2.2.254 NHRP 02:47:05 S

so we must check Phase1 & Phase2 of IPsec
phase1

show crypto isakmp sa

phase2

show crypto IPSEC sa

lakhwaraa · ‎10-14-2022

Router 1 (Which is alwas negotiating)
WT#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
101.244.32.6 192.168.8.250 MM_NO_STATE 0 ACTIVE
101.244.32.6 192.168.8.250 MM_NO_STATE 0 ACTIVE (deleted)
101.244.32.1 192.168.8.250 MM_NO_STATE 0 ACTIVE
101.244.32.1 192.168.8.250 MM_NO_STATE 0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

WT#sh crypto ipsec sa

interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 192.168.8.250

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.250/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (101.244.32.1/255.255.255.255/47/0)
current_peer 101.244.32.1 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 491, #pkts encrypt: 491, #pkts digest: 491
#pkts decaps: 267, #pkts decrypt: 267, #pkts verify: 267
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5799, #recv errors 0

local crypto endpt.: 192.168.8.250, remote crypto endpt.: 101.244.32.1
plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.250/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (101.244.32.6/255.255.255.255/47/0)
current_peer 101.244.32.6 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 1649, #pkts encrypt: 1649, #pkts digest: 1649
#pkts decaps: 637, #pkts decrypt: 637, #pkts verify: 637
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5799, #recv errors 0

local crypto endpt.: 192.168.8.250, remote crypto endpt.: 101.244.32.6
plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:
WT#

Router 1 (Which is alwas Active)
kkrouter#sh crypto isakmp SA
IPv4 Crypto ISAKMP SA
dst src state conn-id status
101.244.32.6 192.168.8.250 QM_IDLE 2174 ACTIVE
101.244.32.1 192.168.8.250 QM_IDLE 2132 ACTIVE
101.244.32.67 192.168.8.250 QM_IDLE 2081 ACTIVE

IPv6 Crypto ISAKMP SA

kkrouter#SH CRYpto IPsec SA

interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 192.168.8.250

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.250/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (101.244.32.6/255.255.255.255/47/0)
current_peer 101.244.32.6 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 969816, #pkts encrypt: 969816, #pkts digest: 969816
#pkts decaps: 807430, #pkts decrypt: 807430, #pkts verify: 807430
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5517, #recv errors 0

local crypto endpt.: 192.168.8.250, remote crypto endpt.: 101.244.32.6
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet8
current outbound spi: 0xFDE11F7B(4259389307)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xD3C0B560(3552621920)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4444912/3291)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xFDE11F7B(4259389307)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4440888/3291)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.250/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (101.244.32.67/255.255.255.255/47/0)
current_peer 101.244.32.67 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 40221, #pkts encrypt: 40221, #pkts digest: 40221
#pkts decaps: 40919, #pkts decrypt: 40919, #pkts verify: 40919
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 638, #recv errors 0

local crypto endpt.: 192.168.8.250, remote crypto endpt.: 101.244.32.67
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet8
current outbound spi: 0x8F5F3FC3(2405384131)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xECC15878(3972094072)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 23, flow_id: Onboard VPN:23, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4424179/3533)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x5C61162C(1549866540)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 27, flow_id: Onboard VPN:27, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4533279/3564)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xB6C18670(3066136176)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 24, flow_id: Onboard VPN:24, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4424183/3533)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x8F5F3FC3(2405384131)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 28, flow_id: Onboard VPN:28, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4533282/3564)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.250/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (101.244.32.1/255.255.255.255/47/0)
current_peer 101.244.32.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 109226, #pkts encrypt: 109226, #pkts digest: 109226
#pkts decaps: 312635, #pkts decrypt: 312635, #pkts verify: 312635
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 12, #recv errors 43

local crypto endpt.: 192.168.8.250, remote crypto endpt.: 101.244.32.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet8
current outbound spi: 0x7DCBB8F3(2110503155)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x6774F69A(1735718554)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 57, flow_id: Onboard VPN:57, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4505563/2343)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x7DCBB8F3(2110503155)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 58, flow_id: Onboard VPN:58, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4508986/2343)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

MHM Cisco World · ‎10-14-2022

WT#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
101.244.32.6 192.168.8.250 MM_NO_STATE 0 ACTIVE
101.244.32.6 192.168.8.250 MM_NO_STATE 0 ACTIVE (deleted)
101.244.32.1 192.168.8.250 MM_NO_STATE 0 ACTIVE
101.244.32.1 192.168.8.250 MM_NO_STATE 0 ACTIVE (deleted)

please share the output
debug crypto isakmp

note:- disable debug after you get info.

lakhwaraa · ‎10-15-2022

after running the command it shows nothing

MHM Cisco World · ‎10-15-2022

Router 1 (Which is alwas Active)
kkrouter#sh crypto isakmp SA
IPv4 Crypto ISAKMP SA
dst src state conn-id status
101.244.32.6 192.168.8.250 QM_IDLE 2174 ACTIVE
101.244.32.1 192.168.8.250 QM_IDLE 2132 ACTIVE
101.244.32.67 192.168.8.250 QM_IDLE 2081 ACTIVE

Router 1 (Which is alwas negotiating)
WT#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
101.244.32.6 192.168.8.250 MM_NO_STATE 0 ACTIVE
101.244.32.6 192.168.8.250 MM_NO_STATE 0 ACTIVE (deleted)
101.244.32.1 192.168.8.250 MM_NO_STATE 0 ACTIVE
101.244.32.1 192.168.8.250 MM_NO_STATE 0 ACTIVE (deleted)

two router (I think you typo, so they are two different route) and two tunnel but same tunnel source !!!
can you elaborate or I am in wrong direction ?

Wizard4777 · ‎07-26-2023

i have similar issue. showing send errors

interface: Tunnel101
Crypto map tag: Tunnel101-head-0, local addr 10.72.56.50

protected vrf: (none)
local ident (addr/mask/prot/port): (10.72.56.50/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (202.165.194.187/255.255.255.255/47/0)
current_peer 202.165.194.187 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 52, #recv errors 0

local crypto endpt.: 10.72.56.50, remote crypto endpt.: 202.165.194.187
plaintext mtu 1472, path mtu 1472, ip mtu 1472, ip mtu idb Tunnel101
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas: