10-04-2022 12:46 AM
I have configured crypto isakmp and nhrp tunnel for my branch and main office. which command should i use to make session active in all state like following example.
HAVE THIS
Interface: Tunnel2
Session status: DOWN-NEGOTIATING
Peer: 101.244.32.1 port 500
IKE SA: local 192.168.8.254/500 remote 101.244.32.1/500 Inactive
IKE SA: local 192.168.8.254/500 remote 101.244.32.1/500 Inactive
IPSEC FLOW: permit 47 host 192.168.8.254 host 101.244.32.1
Active SAs: 0, origin: crypto map
NEED THIS
Interface: Tunnel2
Session status: UP-ACTIVE (THIS IS ALWASY ACTIVE EVEN WHEN NOT USING THIS TUNNEL)
Peer: 101.244.32.1 port 4500
IKEv1 SA: local 192.168.8.250/4500 remote 101.244.32.1/4500 Active
IPSEC FLOW: permit 47 host 192.168.8.250 host 101.244.32.1
Active SAs: 2, origin: crypto map
my conf is as below
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp key M@ster address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set CR-TS-MAS esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile CR-PR-MAS
set transform-set CR-TS-MAS
!
interface Tunnel2
ip address 10.2.1.57 255.255.255.0
no ip redirects
ip mtu 1390
ip authentication mode eigrp 10 md5
ip authentication key-chain eigrp 10 eigrp_keys
ip hold-time eigrp 10 60
ip nhrp authentication deast
ip nhrp map multicast dynamic
ip nhrp map 10.2.1.254 101.244.32.1
ip nhrp map multicast 101.244.32.1
ip nhrp map 10.2.1.12 101.244.32.6
ip nhrp map multicast 101.244.32.6
ip nhrp network-id 2
ip nhrp holdtime 600
ip nhrp nhs 10.2.1.12
ip nhrp nhs 10.2.1.254
ip nhrp registration no-unique
zone-member security vpn
tunnel source Dialer1
tunnel mode gre multipoint
tunnel key 121
tunnel protection ipsec profile CR-PR-MAS shared
WHAT CHANGES SHOULD I DO IN CONFIGURATION TO MAKE TUNNEL ALWAYS ACTIVE.
PLEASE NOTE: CONFIGURATION OF BOTH EXAMPLES ARE SAME BUT I DONT KNOW HOW ONE TUNNEL IS ALWAYS ACTIVE AND OTHER IS NEGOTIATING.
10-14-2022 01:56 AM
# Ent Peer NBMA Addr Peer Tunnel Add State UpDn Tm Attrb
----- --------------- --------------- ----- -------- -----
1 101.244.32.6 10.2.2.12 IKE 02:47:04 S <<- finally we get something here, this must be UP
1 101.244.32.1 10.2.2.254 NHRP 02:47:05 S
so we must check Phase1 & Phase2 of IPsec
phase1
show crypto isakmp sa
phase2
show crypto IPSEC sa
10-14-2022 05:19 AM
Router 1 (Which is alwas negotiating)
WT#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
101.244.32.6 192.168.8.250 MM_NO_STATE 0 ACTIVE
101.244.32.6 192.168.8.250 MM_NO_STATE 0 ACTIVE (deleted)
101.244.32.1 192.168.8.250 MM_NO_STATE 0 ACTIVE
101.244.32.1 192.168.8.250 MM_NO_STATE 0 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
WT#sh crypto ipsec sa
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 192.168.8.250
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.250/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (101.244.32.1/255.255.255.255/47/0)
current_peer 101.244.32.1 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 491, #pkts encrypt: 491, #pkts digest: 491
#pkts decaps: 267, #pkts decrypt: 267, #pkts verify: 267
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5799, #recv errors 0
local crypto endpt.: 192.168.8.250, remote crypto endpt.: 101.244.32.1
plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.250/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (101.244.32.6/255.255.255.255/47/0)
current_peer 101.244.32.6 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 1649, #pkts encrypt: 1649, #pkts digest: 1649
#pkts decaps: 637, #pkts decrypt: 637, #pkts verify: 637
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5799, #recv errors 0
local crypto endpt.: 192.168.8.250, remote crypto endpt.: 101.244.32.6
plaintext mtu 1442, path mtu 1500, ip mtu 1500, ip mtu idb (none)
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
WT#
Router 1 (Which is alwas Active)
kkrouter#sh crypto isakmp SA
IPv4 Crypto ISAKMP SA
dst src state conn-id status
101.244.32.6 192.168.8.250 QM_IDLE 2174 ACTIVE
101.244.32.1 192.168.8.250 QM_IDLE 2132 ACTIVE
101.244.32.67 192.168.8.250 QM_IDLE 2081 ACTIVE
IPv6 Crypto ISAKMP SA
kkrouter#SH CRYpto IPsec SA
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 192.168.8.250
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.250/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (101.244.32.6/255.255.255.255/47/0)
current_peer 101.244.32.6 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 969816, #pkts encrypt: 969816, #pkts digest: 969816
#pkts decaps: 807430, #pkts decrypt: 807430, #pkts verify: 807430
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 5517, #recv errors 0
local crypto endpt.: 192.168.8.250, remote crypto endpt.: 101.244.32.6
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet8
current outbound spi: 0xFDE11F7B(4259389307)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xD3C0B560(3552621920)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4444912/3291)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xFDE11F7B(4259389307)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4440888/3291)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.250/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (101.244.32.67/255.255.255.255/47/0)
current_peer 101.244.32.67 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 40221, #pkts encrypt: 40221, #pkts digest: 40221
#pkts decaps: 40919, #pkts decrypt: 40919, #pkts verify: 40919
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 638, #recv errors 0
local crypto endpt.: 192.168.8.250, remote crypto endpt.: 101.244.32.67
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet8
current outbound spi: 0x8F5F3FC3(2405384131)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xECC15878(3972094072)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 23, flow_id: Onboard VPN:23, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4424179/3533)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x5C61162C(1549866540)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 27, flow_id: Onboard VPN:27, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4533279/3564)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xB6C18670(3066136176)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 24, flow_id: Onboard VPN:24, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4424183/3533)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
spi: 0x8F5F3FC3(2405384131)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 28, flow_id: Onboard VPN:28, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4533282/3564)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.8.250/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (101.244.32.1/255.255.255.255/47/0)
current_peer 101.244.32.1 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 109226, #pkts encrypt: 109226, #pkts digest: 109226
#pkts decaps: 312635, #pkts decrypt: 312635, #pkts verify: 312635
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 12, #recv errors 43
local crypto endpt.: 192.168.8.250, remote crypto endpt.: 101.244.32.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet8
current outbound spi: 0x7DCBB8F3(2110503155)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x6774F69A(1735718554)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 57, flow_id: Onboard VPN:57, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4505563/2343)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x7DCBB8F3(2110503155)
transform: esp-aes esp-sha-hmac ,
in use settings ={Transport UDP-Encaps, }
conn id: 58, flow_id: Onboard VPN:58, sibling_flags 80000006, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4508986/2343)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
10-14-2022 10:53 AM
WT#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
101.244.32.6 192.168.8.250 MM_NO_STATE 0 ACTIVE
101.244.32.6 192.168.8.250 MM_NO_STATE 0 ACTIVE (deleted)
101.244.32.1 192.168.8.250 MM_NO_STATE 0 ACTIVE
101.244.32.1 192.168.8.250 MM_NO_STATE 0 ACTIVE (deleted)
please share the output
debug crypto isakmp
note:- disable debug after you get info.
10-15-2022 04:51 AM
after running the command it shows nothing
10-15-2022 05:05 AM
Router 1 (Which is alwas Active)
kkrouter#sh crypto isakmp SA
IPv4 Crypto ISAKMP SA
dst src state conn-id status
101.244.32.6 192.168.8.250 QM_IDLE 2174 ACTIVE
101.244.32.1 192.168.8.250 QM_IDLE 2132 ACTIVE
101.244.32.67 192.168.8.250 QM_IDLE 2081 ACTIVE
Router 1 (Which is alwas negotiating)
WT#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
101.244.32.6 192.168.8.250 MM_NO_STATE 0 ACTIVE
101.244.32.6 192.168.8.250 MM_NO_STATE 0 ACTIVE (deleted)
101.244.32.1 192.168.8.250 MM_NO_STATE 0 ACTIVE
101.244.32.1 192.168.8.250 MM_NO_STATE 0 ACTIVE (deleted)
two router (I think you typo, so they are two different route) and two tunnel but same tunnel source !!!
can you elaborate or I am in wrong direction ?
07-26-2023 05:45 PM
i have similar issue. showing send errors
interface: Tunnel101
Crypto map tag: Tunnel101-head-0, local addr 10.72.56.50
protected vrf: (none)
local ident (addr/mask/prot/port): (10.72.56.50/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (202.165.194.187/255.255.255.255/47/0)
current_peer 202.165.194.187 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 52, #recv errors 0
local crypto endpt.: 10.72.56.50, remote crypto endpt.: 202.165.194.187
plaintext mtu 1472, path mtu 1472, ip mtu 1472, ip mtu idb Tunnel101
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide