ipsec security associations / idle timer

Discussion in 'Cisco' started by Graham Turner, Mar 25, 2008.

  1. i have posted issue what i think is related previously under subject with
    'reverse route injection'

    relates i think to the maintenance of the IPSEC SA's for peers that in fact
    are cisco vpn clients (windows xp).

    even though VPN client connections are no longer valid, it seems the IOS
    (12.4) router is maintaining entries in the SA table, such that the peer
    addresses are listed in the output from;

    "show crypto ipsec sa detail "

    However no such entry appears in "show crypto ipsec sa"

    is this in fact indication of the SA still being maintained or have i
    misinterprted ??

    if the former, then is it perhaps a matter of configuring of the
    'idle-timer' ?, to purge these SA's even though the other timers are
    obviously exceeded ?

    help gladly received !
    Graham Turner, Mar 25, 2008
    #1
    1. Advertising

  2. Graham Turner

    News Reader Guest

    Are you taking note of the SA lifetime?

    I just looked at the IPSec SAs on a router here with the "show crypto
    ipsec sa", and moments later did so with "show crypto ipsec sa detail".

    It may just be a matter of timing; when you performed the show command
    versus when the SAs were to be refreshed.

    I've trimmed down the output and focussed on just the inbound sas for
    simplicity.

    This output is from an IPSec+GRE tunnel between two sites. There are no
    other tunnels creating SAs in the SADB.


    Output from "show crypto ipsec sa"

    Note: The IPSec SA lifetime is near expiration (255 sec.).

    inbound esp sas:
    spi: 0x3576C964(896977252)
    transform: esp-des esp-sha-hmac ,
    in use settings ={Transport, }
    conn id: 2003, flow_id: C1700_EM:3, crypto map: <cry-map-name
    removed>
    sa timing: remaining key lifetime (k/sec): (4479001/255)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE


    about a 1-1/2 min. later, output from "show crypto ipsec sa detail"

    Note: New IPSec SA formed (lifetime remaining 3597 sec.) prior to
    expiration of pre-existing IPSec SA (lifetime remaining 162 sec.).

    inbound esp sas:
    spi: 0x3576C964(896977252)
    transform: esp-des esp-sha-hmac ,
    in use settings ={Transport, }
    conn id: 2003, flow_id: C1700_EM:3, crypto map: <cry-map-name
    removed>
    sa timing: remaining key lifetime (k/sec): (4478994/162)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE
    spi: 0x2B5033A9(726676393)
    transform: esp-des esp-sha-hmac ,
    in use settings ={Transport, }
    conn id: 2005, flow_id: C1700_EM:5, crypto map: <cry-map-name
    removed>
    sa timing: remaining key lifetime (k/sec): (4582282/3597)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE


    Output from "show crypto ipsec sa detail" repeated shortly thereafter.

    Note: New IPsec SA with remaining lifetime of 3476 sec., and old SA
    cleared from SADB.

    inbound esp sas:
    spi: 0x2B5033A9(726676393)
    transform: esp-des esp-sha-hmac ,
    in use settings ={Transport, }
    conn id: 2005, flow_id: C1700_EM:5, crypto map: <cry-map-name
    removed>
    sa timing: remaining key lifetime (k/sec): (4582274/3476)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE


    Best Regards,
    News Reader

    Graham Turner wrote:
    > i have posted issue what i think is related previously under subject with
    > 'reverse route injection'
    >
    > relates i think to the maintenance of the IPSEC SA's for peers that in fact
    > are cisco vpn clients (windows xp).
    >
    > even though VPN client connections are no longer valid, it seems the IOS
    > (12.4) router is maintaining entries in the SA table, such that the peer
    > addresses are listed in the output from;
    >
    > "show crypto ipsec sa detail "
    >
    > However no such entry appears in "show crypto ipsec sa"
    >
    > is this in fact indication of the SA still being maintained or have i
    > misinterprted ??
    >
    > if the former, then is it perhaps a matter of configuring of the
    > 'idle-timer' ?, to purge these SA's even though the other timers are
    > obviously exceeded ?
    >
    > help gladly received !
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    News Reader, Mar 25, 2008
    #2
    1. Advertising

  3. News reader, thanks for mail back.

    my apology for my typo in the post.

    i don't think the matter in my case is timing - 'show crypto ipsec detail'
    is in fact ok

    it is the output from 'show crypto ipsec sa address' that shows the
    "lingering" SA's




    "News Reader" <> wrote in message
    news:lmaGj.40561$...
    > Are you taking note of the SA lifetime?
    >
    > I just looked at the IPSec SAs on a router here with the "show crypto
    > ipsec sa", and moments later did so with "show crypto ipsec sa detail".
    >
    > It may just be a matter of timing; when you performed the show command
    > versus when the SAs were to be refreshed.
    >
    > I've trimmed down the output and focussed on just the inbound sas for
    > simplicity.
    >
    > This output is from an IPSec+GRE tunnel between two sites. There are no
    > other tunnels creating SAs in the SADB.
    >
    >
    > Output from "show crypto ipsec sa"
    >
    > Note: The IPSec SA lifetime is near expiration (255 sec.).
    >
    > inbound esp sas:
    > spi: 0x3576C964(896977252)
    > transform: esp-des esp-sha-hmac ,
    > in use settings ={Transport, }
    > conn id: 2003, flow_id: C1700_EM:3, crypto map: <cry-map-name
    > removed>
    > sa timing: remaining key lifetime (k/sec): (4479001/255)
    > IV size: 8 bytes
    > replay detection support: Y
    > Status: ACTIVE
    >
    >
    > about a 1-1/2 min. later, output from "show crypto ipsec sa detail"
    >
    > Note: New IPSec SA formed (lifetime remaining 3597 sec.) prior to
    > expiration of pre-existing IPSec SA (lifetime remaining 162 sec.).
    >
    > inbound esp sas:
    > spi: 0x3576C964(896977252)
    > transform: esp-des esp-sha-hmac ,
    > in use settings ={Transport, }
    > conn id: 2003, flow_id: C1700_EM:3, crypto map: <cry-map-name
    > removed>
    > sa timing: remaining key lifetime (k/sec): (4478994/162)
    > IV size: 8 bytes
    > replay detection support: Y
    > Status: ACTIVE
    > spi: 0x2B5033A9(726676393)
    > transform: esp-des esp-sha-hmac ,
    > in use settings ={Transport, }
    > conn id: 2005, flow_id: C1700_EM:5, crypto map: <cry-map-name
    > removed>
    > sa timing: remaining key lifetime (k/sec): (4582282/3597)
    > IV size: 8 bytes
    > replay detection support: Y
    > Status: ACTIVE
    >
    >
    > Output from "show crypto ipsec sa detail" repeated shortly thereafter.
    >
    > Note: New IPsec SA with remaining lifetime of 3476 sec., and old SA
    > cleared from SADB.
    >
    > inbound esp sas:
    > spi: 0x2B5033A9(726676393)
    > transform: esp-des esp-sha-hmac ,
    > in use settings ={Transport, }
    > conn id: 2005, flow_id: C1700_EM:5, crypto map: <cry-map-name
    > removed>
    > sa timing: remaining key lifetime (k/sec): (4582274/3476)
    > IV size: 8 bytes
    > replay detection support: Y
    > Status: ACTIVE
    >
    >
    > Best Regards,
    > News Reader
    >
    > Graham Turner wrote:
    >> i have posted issue what i think is related previously under subject with
    >> 'reverse route injection'
    >>
    >> relates i think to the maintenance of the IPSEC SA's for peers that in
    >> fact are cisco vpn clients (windows xp).
    >>
    >> even though VPN client connections are no longer valid, it seems the IOS
    >> (12.4) router is maintaining entries in the SA table, such that the peer
    >> addresses are listed in the output from;
    >>
    >> "show crypto ipsec sa detail "
    >>
    >> However no such entry appears in "show crypto ipsec sa"
    >>
    >> is this in fact indication of the SA still being maintained or have i
    >> misinterprted ??
    >>
    >> if the former, then is it perhaps a matter of configuring of the
    >> 'idle-timer' ?, to purge these SA's even though the other timers are
    >> obviously exceeded ?
    >>
    >> help gladly received !
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    >>
    Graham Turner, Mar 25, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Slim Win

    Firebird File Associations...

    Slim Win, Aug 10, 2003, in forum: Firefox
    Replies:
    1
    Views:
    1,392
    Night_Seer
    Sep 17, 2003
  2. alabaster

    Firebird file associations?

    alabaster, Oct 12, 2003, in forum: Firefox
    Replies:
    4
    Views:
    752
    Irwin Greenwald
    Oct 12, 2003
  3. Emily
    Replies:
    2
    Views:
    499
    Emily
    Feb 1, 2004
  4. Arjan
    Replies:
    0
    Views:
    546
    Arjan
    Oct 12, 2005
  5. Mal Carter
    Replies:
    3
    Views:
    730
    VanguardLH
    Jan 12, 2008
Loading...

Share This Page