1. Home
  2. Cisco Systems
  3. ipsec security associations / idle timer

ipsec security associations / idle timer

i have posted issue what i think is related previously under subject with 'reverse route injection'

relates i think to the maintenance of the IPSEC SA's for peers that in fact are cisco vpn clients (windows xp).

even though VPN client connections are no longer valid, it seems the IOS (12.4) router is maintaining entries in the SA table, such that the peer addresses are listed in the output from;

"show crypto ipsec sa detail "

However no such entry appears in "show crypto ipsec sa"

is this in fact indication of the SA still being maintained or have i misinterprted ??

if the former, then is it perhaps a matter of configuring of the 'idle-timer' ?, to purge these SA's even though the other timers are obviously exceeded ?

help gladly received !

Reply to
Graham Turner
Loading thread data ...

Are you taking note of the SA lifetime?

I just looked at the IPSec SAs on a router here with the "show crypto ipsec sa", and moments later did so with "show crypto ipsec sa detail".

It may just be a matter of timing; when you performed the show command versus when the SAs were to be refreshed.

I've trimmed down the output and focussed on just the inbound sas for simplicity.

This output is from an IPSec+GRE tunnel between two sites. There are no other tunnels creating SAs in the SADB.

Output from "show crypto ipsec sa"

Note: The IPSec SA lifetime is near expiration (255 sec.).

inbound esp sas: spi: 0x3576C964(896977252) transform: esp-des esp-sha-hmac , in use settings ={Transport, } conn id: 2003, flow_id: C1700_EM:3, crypto map: sa timing: remaining key lifetime (k/sec): (4479001/255) IV size: 8 bytes replay detection support: Y Status: ACTIVE

about a 1-1/2 min. later, output from "show crypto ipsec sa detail"

Note: New IPSec SA formed (lifetime remaining 3597 sec.) prior to expiration of pre-existing IPSec SA (lifetime remaining 162 sec.).

inbound esp sas: spi: 0x3576C964(896977252) transform: esp-des esp-sha-hmac , in use settings ={Transport, } conn id: 2003, flow_id: C1700_EM:3, crypto map: sa timing: remaining key lifetime (k/sec): (4478994/162) IV size: 8 bytes replay detection support: Y Status: ACTIVE spi: 0x2B5033A9(726676393) transform: esp-des esp-sha-hmac , in use settings ={Transport, } conn id: 2005, flow_id: C1700_EM:5, crypto map: sa timing: remaining key lifetime (k/sec): (4582282/3597) IV size: 8 bytes replay detection support: Y Status: ACTIVE

Output from "show crypto ipsec sa detail" repeated shortly thereafter.

Note: New IPsec SA with remaining lifetime of 3476 sec., and old SA cleared from SADB.

inbound esp sas: spi: 0x2B5033A9(726676393) transform: esp-des esp-sha-hmac , in use settings ={Transport, } conn id: 2005, flow_id: C1700_EM:5, crypto map: sa timing: remaining key lifetime (k/sec): (4582274/3476) IV size: 8 bytes replay detection support: Y Status: ACTIVE

Best Regards, News Reader

Graham Turner wrote:

Reply to
News Reader

News reader, thanks for mail back.

my apology for my typo in the post.

i don't think the matter in my case is timing - 'show crypto ipsec detail' is in fact ok

it is the output from 'show crypto ipsec sa address' that shows the "lingering" SA's

Reply to
Graham Turner

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.