New IPsec Troubleshooting Features

There are two new IPsec troubleshooting features you can use in the IOS:

  • IPsec VPN Monitoring: IOS 12.3(4)T
  • Invalid Security Parameter Index Recovery: IOS 12.3(2)T

The following three sections will discuss both of these features.

IPsec VPN Monitoring Feature

IPsec VPN monitoring is a feature new in IOS 12.3(4)T. This feature allows you to monitor VPN sessions to provide for enhanced troubleshooting. These enhancements include:

  • Adding a description to IKE peers so that it becomes easier to identify the peer other than using their IP address or FQDN.
  • Clearing a crypto session: before IOS 12.3(4)T, you had to clear both the Phase 1 and 2 connections to a peer individually to tear down the crypto session; in IOS 12.3(4)T, you can tear down both sets of connections with a single command.

The following two sections will discuss these enhancements.

Configuring IKE Peer Descriptions

To configure IKE peer descriptions, use the following configuration:

Router(config)# crypto isakmp peer {address peer_IP_address |
 hostname peer_hostname}
Router(config-isakmp-peer)# description description

You first must specify the identity of the peer (based on the configuration of the crypto isakmp identity command), which takes you into a subcommand mode. The description command allows you to assign a 80-character description, including spaces, for the remote peer. This description will then appear in the output of various show commands.


If multiple remote peers sit behind the same PAT device, you cannot use address as an identity type for a description, since they'll all have the same IP address.


Seeing Peer Descriptions in show Commands

There are two show commands that take advantage of the use of descriptions:

  • show crypto isakmp peer [IP_address_of_peer] Briefly displays the IPsec peer connections and descriptions. Example 19-17 illustrates the use of this command, where the local peer ( is connected to the remote peer A description of "Connection to SiteA" was assigned to this peer.

    Example 19-17. Using the show crypto isakmp peer Command

    RTRA# show crypto isakmp peer
    Peer: Port: 500 Local:
     Description: Connection to SiteA
     Phase1 id:
  • show crypto session[local local_IP_address] [remote remote_IP_address] [detail] Displays status information for active crypto map sessions. Example 19-18 illustrates the use of this command without the detail parameter and 19-19 with it. In Example 19-18, you can see the peer the router is connected to ( and that the management and two data connections were built. Table 19-1 explains the statuses that can appear in the output of this command. If no flow exists, this could be because a dynamic crypto map is being used. Example 19-19, with the detail parameter, shows more information, including the description and the number of packets encrypted and decrypted.

Example 19-18. Using the show crypto session Command

RTRA# show crypto session
Crypto session current status
Interface: Ethernet0/0
Session status: UP-ACTIVE
Peer: port 500
 IKE SA: local remote Active
 IPSEC FLOW: permit ip
 Active SAs: 2, origin: crypto map

Table 19-1. Status of VPN Sessions


IPsec SAs

VPN Tunnel Status

Exists, active

Exists (flow exists)


Exists, active

None (flow exists)


Exists, active

None (no flow exists)


Exists, inactive

Exists (flow exists)


Exists, inactive

None (flow exists)


Exists, inactive

None (no flow)



Exists (flow exists)



None (flow exists)



None (no flow exists)



Example 19-19. Using the show crypto session detail Command

RTRA# show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: Ethernet0/0
Session status: UP-ACTIVE
Peer: port 500 fvrf: (none) ivrf: (none)
 Desc: Connection to SiteA
 IKE SA: local remote Active
 Capabilities:D connid:2 lifetime:23:48:48
 IPSEC FLOW: permit ip
 Active SAs: 2, origin: crypto map
 Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4479991/2929
 Outbound: #pkts enc'ed 9 drop 0 life (KB/Sec) 4479991/2929


I prefer to use the show crypto isakmp peer command over the show crypto isakmp sa command because the former gives me a brief description of the connection. I also prefer to use the show crypto session command over the show crypto ipsec sa command because the former easily summarizes the important information in a short display. The latter display is too verbose for me for a quick determination of whether either the Phase 1 or 2 SAs have been established.


Clearing Crypto Sessions

Another new feature introduced with the IKE description feature is the ability to delete all IKE and IPsec SAs associated with all peers or a specific peer. Before this enhancement, you had to delete the management and data SAs individually. Use the following command to delete all SAs associated with a peer or peers:

Router# clear crypto session
 [local local_IP_address [port local-port]]
 [remote ip-address [port remote-port]]

When you execute this command, the session(s) torn down will have "DOWN-NEGOTIATING" as the status in the output of the show crypto session command, indicating that the SAs are either completely down or in the process of being brought back up.

Invalid Security Parameter Index Recovery Feature

The invalid security parameter index (SPI) recovery feature was introduced in IOS 12.3(2)T and integrated into 12.2(18)SXE. This feature allows the router to recover from an invalid security parameter index error (displayed as Invalid SPI in the output of the debug crypto ipsec command. With this feature, the IPsec peers can resynchronize their SA databases and successfully bring up the data connections. The following two sections will discuss more information about how an invalid SPI condition can occur and how to enable the feature.

Invalid SPI Condition and the Invalid SPI Recovery Feature

An invalid SPI condition can occur if one IPsec peer dies (is shut down, is rebooted, has its interface reset, loses its management connection to a peer, and so on) and has an existing IPsec session to a remote peer. The remote peer still might try to use the SA even though a new one is built (with a new SA). The old SPI value from the old SA is no longer in the local peer, and the peer will respond with an "INVALID SPI NOTIFY" message to the remote peer, indicating that the data SA that the remote peer is trying to use is no longer available. The local peer's default action is to continue dropping traffic from the invalid SA (commonly referred to as a "black hole").

Upon receiving the "INVALID SPI NOTIFY" message, the default behavior of the local peer is to drop traffic. With the recovery feature enabled on both routers, the remote router will understand that an abnormal condition occurred with the local peer and that the remote peer should delete the existing SAs and establish new ones.


Dead Peer Detection (DPD) can also detect this problem; however, DPD might take longer to detect it, depending on the keepalive interval. The Invalid SPI Recovery feature is more similar to the Initial Contact supported by Easy VPN devices.


Invalid SPI Recovery Configuration

To enable the invalid SPI recovery feature, use the following command:

Router(config)# crypto isakmp invalid-spi-recovery

This should be configured on all IOS routers that have peer relationships. Once enabled, you can use the debug crypto ipsec and show crypto ipsec sa commands to verify that the feature is enabled. When an invalid SPI condition exists, you'll see a message similar to Example 19-20, where the destination and source addresses are replaced by the peer addresses. In this example, a data SA using ESP was determined to be invalid.

Example 19-20. Message from an Invalid SPI Condition

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has
 invalid spi for destaddr=x.x.x.x, prot=50,
 spi=0x1214F0D(18960141), srcaddr=y.y.y.y


To test the configuration of the invalid SPI recovery feature, from the local peer, bring up an IPsec session to a remote peer (if one doesn't exist). On the local peer, execute the debug crypto ipsec command. Clear the Phase 1 and 2 SAs on the remote peer. From the local peer, send traffic to the remote peer. A small number of packets might be dropped, but on the remote peer you should see the message in Example 19-20 and on the local peer you should see the old data SAs torn down from the debug output and new ones built.


A denial of service (DoS) attack can occur if the invalid SPI recovery is enabled. The feature has a built-in mechanism to reduce the likelihood of this occurring, but there is still a chance that a DoS can occur; therefore, Cisco has disabled this feature by default, requiring you to enable it manually.

Part I: VPNs

Overview of VPNs

VPN Technologies




Part II: Concentrators

Concentrator Product Information

Concentrator Remote Access Connections with IPsec

Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN

Concentrator Site-to-Site Connections

Concentrator Management

Verifying and Troubleshooting Concentrator Connections

Part III: Clients

Cisco VPN Software Client

Windows Software Client

3002 Hardware Client

Part IV: IOS Routers

Router Product Information

Router ISAKMP/IKE Phase 1 Connectivity

Router Site-to-Site Connections

Router Remote Access Connections

Troubleshooting Router Connections

Part V: PIX Firewalls

PIX and ASA Product Information

PIX and ASA Site-to-Site Connections

PIX and ASA Remote Access Connections

Troubleshooting PIX and ASA Connections

Part VI: Case Study

Case Study


The Complete Cisco VPN Configuration Guide
The Complete Cisco VPN Configuration Guide
ISBN: 1587052040
EAN: 2147483647
Year: 2006
Pages: 178
Authors: Richard Deal © 2008-2020.
If you may any questions please contact us: