I assume, for peer IP we use, is the wan interface of the Cisco ASA and never the gateway of the ISP right? Additionally, all routes ought to go to the identical IP of the wan interface right?
So we’ve two Cisco ASA 5500 sequence and a pair of ISPs linked for redundancy. We wish to route the site visitors to undergo our ISP2. However the issue I haven’t got expertise in is that this ISP doesn’t route our static IPs for us. Now we have a block of static IPs dealing with the general public, and need to have a router which factors all of the site visitors to our router/gateway which factors all of the site visitors to the ISP.
Establishing the positioning to website VPN, I’ve set as much as exit the ISP2 interface which has an assigned static ip on our ASA however can not seem to get issues working. Proper now, all site visitors has a static rule to ship all site visitors to the ISP gateway on the router on the edge going to the hand off.
Configs of each websites ASA are beneath and the present crypto ipsec sa and hint routes. Normally the primary hint route fails, undecided if that is regular? Second time often at all times works and we may see the session begin up within the ASDM session profile. Nevertheless, cannot ping between networks. Concepts?
Web site A
----------------------------------------------------
Objects
----------------------------------------------------
object community DataSeg13 subnet 10.113.0.0 255.255.0.0
object community
SiteBRemote10.1.10.0Network subnet 10.1.10.0 255.255.255.248
----------------------------------------------------
Outline IKEv2 Coverage:
----------------------------------------------------
crypto ikev2 coverage 1 encryption aes-256 integrity sha group 5 2 prf sha
lifetime seconds 86400 crypto ikev2 allow ISP_2_WANInterface
----------------------------------------------------
Outline IPsec Remodel Set:
----------------------------------------------------
crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol
esp integrity sha-1 md5
----------------------------------------------------
Create Tunnel Group:
----------------------------------------------------
tunnel-group [SITE B PUBLIC WAN IP] kind ipsec-l2l tunnel-group [SITE B PUBLIC WAN
IP] general-attributes default-group-policy GroupPolicy_[SITE B
PUBLIC WAN IP] tunnel-group [SITE B PUBLIC WAN IP] ipsec-attributes
ikev2 remote-authentication pre-shared-key ***** ikev2
local-authentication pre-shared-key *****
----------------------------------------------------
Configure Crypto Map:
----------------------------------------------------
crypto map ISP_2_WANInterface_map 3 match handle ISP_2_WANInterface_cryptomap
crypto map ISP_2_WANInterface_map 3 set peer [SITE B PUBLIC WAN IP]
crypto map ISP_2_WANInterface_map 3 set ikev2 ipsec-proposal AES256
AES192 AES 3DES DES crypto map ISP_2_WANInterface_map interface
ISP_2_WANInterface
crypto map ISP_2_WANInterface_map 3 set ikev1 transform-set
ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5
ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA
ESP-DES-MD5
----------------------------------------------------
Outline Entry Listing for VPN Site visitors:
----------------------------------------------------
access-list ISP_2_WANInterface_cryptomap prolonged allow ip object DataSeg13
object SiteBRemote10.1.10.0Network
----------------------------------------------------
Static Route and Static Path to Direct VPN Site visitors to ISP2:
----------------------------------------------------
route ISP_2_WANInterface 0.0.0.0 0.0.0.0 [SITE A WAN IP OF THE GATEWAY] 5
route ISP_2_WANInterface 10.1.10.0 255.255.255.248 [SITE A WAN IP OF
THE GATEWAY] 1
Web site B
----------------------------------------------------
Objects
----------------------------------------------------
object community 10.113.0.0-network subnet 10.113.0.0 255.255.0.0
----------------------------------------------------
Outline IKEv2 Coverage
----------------------------------------------------
crypto ikev2 coverage 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 allow exterior
----------------------------------------------------
Outline IPsec Remodel Set
----------------------------------------------------
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
----------------------------------------------------
Create Tunnel Group
----------------------------------------------------
tunnel-group [SITE A PUBLIC WAN IP] kind ipsec-l2l
tunnel-group [SITE A PUBLIC WAN IP] general-attributes
default-group-policy GroupPolicy_[SITE A PUBLIC WAN IP]
tunnel-group [SITE A PUBLIC WAN IP] ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
----------------------------------------------------
Configure Crypto Map
----------------------------------------------------
crypto map outside_map 3 match handle outside_cryptomap_2
crypto map outside_map 3 set peer [SITE A PUBLIC WAN IP]
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map interface exterior
----------------------------------------------------
Outline Entry Listing for VPN Site visitors
----------------------------------------------------
access-list outside_cryptomap prolonged allow ip 10.1.10.0 255.255.255.248 object 10.113.0.0-network
access-list outside_cryptomap_1 prolonged allow ip 10.1.10.0 255.255.255.0 object 10.113.0.0-network
access-list outside_cryptomap_2 prolonged allow ip 10.1.10.0 255.255.255.0 object 10.113.0.0-network
access-list SITE_A_OFFICE_ACCESS prolonged deny ip 10.113.0.0 255.255.255.0 host 10.1.10.1 log
access-list SITE_A_OFFICE_ACCESS prolonged allow ip 10.113.0.0 255.255.0.0 10.1.10.0 255.255.255.248 log
----------------------------------------------------
Static Route and Static Path to Direct VPN Site visitors to ISP1:
----------------------------------------------------
route exterior 0.0.0.0 0.0.0.0 [SITE B WAN IP OF THE GATEWAY] 1
SHOW LOGS
ASA-1/pri/act# present crypto ipsec sa
Doesn’t present the lively vpn connection
ASA-1/pri/act# packet-tracer enter inside tcp 10.113.1.11 500 10.1.10.$
Part: 1
Sort: ACCESS-LIST
Subtype:
Outcome: ALLOW
Config:
Implicit Rule
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f842969c270, precedence=1, area=allow, deny=false
hits=4040842493, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, masks=0000.0000.0000
dst mac=0000.0000.0000, masks=0100.0000.0000
input_ifc=inside, output_ifc=any
Part: 2
Sort: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Outcome: ALLOW
Config:
Further Info:
discovered next-hop [SITE A WAN IP OF THE GATEWAY] utilizing egress ifc ISP_2_WANInterface
Part: 3
Sort: UN-NAT
Subtype: static
Outcome: ALLOW
Config:
nat (inside,ISP_2_WANInterface) supply static DataSeg13 DataSeg13 vacation spot static SiteBRemote10.1.10.0NetworkNetwork SiteBRemote10.1.10.0NetworkNetwork no-proxy-arp route-lookup
Further Info:
NAT divert to egress interface ISP_2_WANInterface
Untranslate 10.1.10.1/500 to 10.1.10.1/500
Part: 4
Sort: ACCESS-LIST
Subtype: log
Outcome: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in prolonged allow ip any any
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f8429682c10, precedence=13, area=allow, deny=false
hits=51084378, user_data=0x7f841ed55ec0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Part: 5
Sort: CONN-SETTINGS
Subtype:
Outcome: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy world
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f842aa194d0, precedence=7, area=conn-set, deny=false
hits=56857924, user_data=0x7f842aa15340, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Part: 6
Sort: NAT
Subtype:
Outcome: ALLOW
Config:
nat (inside,ISP_2_WANInterface) supply static DataSeg13 DataSeg13 vacation spot static SiteBRemote10.1.10.0NetworkNetwork SiteBRemote10.1.10.0NetworkNetwork no-proxy-arp route-lookup
Further Info:
Static translate 10.113.1.11/500 to 10.113.1.11/500
Ahead Circulation based mostly lookup yields rule:
in id=0x7f842758d3a0, precedence=6, area=nat, deny=false
hits=14, user_data=0x7f8429e166d0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=DataSeg13, masks=255.255.0.0, port=0, tag=any
dst ip/id=10.1.10.0, masks=255.255.255.248, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=ISP_2_WANInterface
Part: 7
Sort: NAT
Subtype: per-session
Outcome: ALLOW
Config:
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f84288c6380, precedence=0, area=nat-per-session, deny=false
hits=110098636, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Part: 8
Sort: IP-OPTIONS
Subtype:
Outcome: ALLOW
Config:
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f84296a38b0, precedence=0, area=inspect-ip-options, deny=true
hits=68976842, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Part: 9
Sort: SFR
Subtype:
Outcome: ALLOW
Config:
class-map sfr
match access-list sfr_redirect
policy-map global_policy
class sfr
sfr fail-open monitor-only
service-policy global_policy world
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f842b2e5d40, precedence=71, area=sfr, deny=false
hits=70517966, user_data=0x7f842abc8bd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Part: 10
Sort: FOVER
Subtype: standby-update
Outcome: ALLOW
Config:
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f8429a56720, precedence=20, area=lu, deny=false
hits=46497807, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Part: 11
Sort: VPN
Subtype: encrypt
Outcome: DROP
Config:
Further Info:
Ahead Circulation based mostly lookup yields rule:
out id=0x7f842a925010, precedence=70, area=encrypt, deny=false
hits=11, user_data=0x0, cs_id=0x7f842a8beb40, reverse, flags=0x0, protocol=0
src ip/id=DataSeg13, masks=255.255.0.0, port=0, tag=any
dst ip/id=10.1.10.0, masks=255.255.255.248, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=ISP_2_WANInterface
Outcome:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP_2_WANInterface
output-status: up
output-line-status: up
Motion: drop
Drop-reason: (acl-drop) Circulation is denied by configured rule
—------------------------------------------
TRIED AGAIN SAME THING
—------------------------------------------
ASA-1/pri/act#
ASA-1/pri/act# packet-tracer enter inside tcp 10.113.1.11 500 10.1.10.$
Part: 1
Sort: ACCESS-LIST
Subtype:
Outcome: ALLOW
Config:
Implicit Rule
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f842969c270, precedence=1, area=allow, deny=false
hits=4041271514, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, masks=0000.0000.0000
dst mac=0000.0000.0000, masks=0100.0000.0000
input_ifc=inside, output_ifc=any
Part: 2
Sort: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Outcome: ALLOW
Config:
Further Info:
discovered next-hop [SITE A WAN IP OF THE GATEWAY] utilizing egress ifc ISP_2_WANInterface
Part: 3
Sort: UN-NAT
Subtype: static
Outcome: ALLOW
Config:
nat (inside,ISP_2_WANInterface) supply static DataSeg13 DataSeg13 vacation spot static SiteBRemote10.1.10.0NetworkNetwork SiteBRemote10.1.10.0NetworkNetwork no-proxy-arp route-lookup
Further Info:
NAT divert to egress interface ISP_2_WANInterface
Untranslate 10.1.10.1/500 to 10.1.10.1/500
Part: 4
Sort: ACCESS-LIST
Subtype: log
Outcome: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in prolonged allow ip any any
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f8429682c10, precedence=13, area=allow, deny=false
hits=51088859, user_data=0x7f841ed55ec0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Part: 5
Sort: CONN-SETTINGS
Subtype:
Outcome: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection decrement-ttl
service-policy global_policy world
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f842aa194d0, precedence=7, area=conn-set, deny=false
hits=56862405, user_data=0x7f842aa15340, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Part: 6
Sort: NAT
Subtype:
Outcome: ALLOW
Config:
nat (inside,ISP_2_WANInterface) supply static DataSeg13 DataSeg13 vacation spot static SiteBRemote10.1.10.0NetworkNetwork SiteBRemote10.1.10.0NetworkNetwork no-proxy-arp route-lookup
Further Info:
Static translate 10.113.1.11/500 to 10.113.1.11/500
Ahead Circulation based mostly lookup yields rule:
in id=0x7f842758d3a0, precedence=6, area=nat, deny=false
hits=15, user_data=0x7f8429e166d0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=DataSeg13, masks=255.255.0.0, port=0, tag=any
dst ip/id=10.1.10.0, masks=255.255.255.248, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=ISP_2_WANInterface
Part: 7
Sort: NAT
Subtype: per-session
Outcome: ALLOW
Config:
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f84288c6380, precedence=0, area=nat-per-session, deny=false
hits=110106939, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Part: 8
Sort: IP-OPTIONS
Subtype:
Outcome: ALLOW
Config:
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f84296a38b0, precedence=0, area=inspect-ip-options, deny=true
hits=68982554, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Part: 9
Sort: SFR
Subtype:
Outcome: ALLOW
Config:
class-map sfr
match access-list sfr_redirect
policy-map global_policy
class sfr
sfr fail-open monitor-only
service-policy global_policy world
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f842b2e5d40, precedence=71, area=sfr, deny=false
hits=70522700, user_data=0x7f842abc8bd0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Part: 10
Sort: FOVER
Subtype: standby-update
Outcome: ALLOW
Config:
Further Info:
Ahead Circulation based mostly lookup yields rule:
in id=0x7f8429a56720, precedence=20, area=lu, deny=false
hits=46500984, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any
Part: 11
Sort: VPN
Subtype: encrypt
Outcome: ALLOW
Config:
Further Info:
Ahead Circulation based mostly lookup yields rule:
out id=0x7f842ca06180, precedence=70, area=encrypt, deny=false
hits=1, user_data=0x578216c, cs_id=0x7f842a8beb40, reverse, flags=0x0, protocol=0
src ip/id=DataSeg13, masks=255.255.0.0, port=0, tag=any
dst ip/id=10.1.10.0, masks=255.255.255.248, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=ISP_2_WANInterface
Part: 12
Sort: NAT
Subtype: rpf-check
Outcome: ALLOW
Config:
nat (inside,ISP_2_WANInterface) supply static DataSeg13 DataSeg13 vacation spot static SiteBRemote10.1.10.0NetworkNetwork SiteBRemote10.1.10.0NetworkNetwork no-proxy-arp route-lookup
Further Info:
Ahead Circulation based mostly lookup yields rule:
out id=0x7f842e137ac0, precedence=6, area=nat-reverse, deny=false
hits=15, user_data=0x7f8429e1a5a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=DataSeg13, masks=255.255.0.0, port=0, tag=any
dst ip/id=10.1.10.0, masks=255.255.255.248, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=ISP_2_WANInterface
Part: 13
Sort: VPN
Subtype: ipsec-tunnel-flow
Outcome: ALLOW
Config:
Further Info:
Reverse Circulation based mostly lookup yields rule:
in id=0x7f842c94a2a0, precedence=70, area=ipsec-tunnel-flow, deny=false
hits=1, user_data=0x5784a2c, cs_id=0x7f842a8beb40, reverse, flags=0x0, protocol=0
src ip/id=10.1.10.0, masks=255.255.255.248, port=0, tag=any
dst ip/id=DataSeg13, masks=255.255.0.0, port=0, tag=any, dscp=0x0
input_ifc=ISP_2_WANInterface, output_ifc=any
Part: 14
Sort: NAT
Subtype: per-session
Outcome: ALLOW
Config:
Further Info:
Reverse Circulation based mostly lookup yields rule:
in id=0x7f84288c6380, precedence=0, area=nat-per-session, deny=false
hits=110106941, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any
Part: 15
Sort: IP-OPTIONS
Subtype:
Outcome: ALLOW
Config:
Further Info:
Reverse Circulation based mostly lookup yields rule:
in id=0x7f842963f140, precedence=0, area=inspect-ip-options, deny=true
hits=9583840, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, masks=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=ISP_2_WANInterface, output_ifc=any
Part: 16
Sort: FLOW-CREATION
Subtype:
Outcome: ALLOW
Config:
Further Info:
New circulation created with id 77534832, packet dispatched to subsequent module
Module info for ahead circulation ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_sfr
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_ifc_stat
Module info for reverse circulation ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_tcp_normalizer
snp_fp_translate
snp_sfr
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Outcome:
input-interface: inside
input-status: up
input-line-status: up
output-interface: ISP_2_WANInterface
output-status: up
output-line-status: up
Motion: enable
Present ipsec sa outcomes after doing the packet tracer, the VPN session reveals in present ipsec sa. However not information, and can’t ping any units over there.
interface: ISP_2_WANInterface
Crypto map tag: ISP_2_WANInterface_map, seq num: 3, native addr: [IP of WAN INTERFACE OF ASA_ISP2]
access-list ISP_2_WANInterface_cryptomap prolonged allow ip 10.113.0.0 255.255.0.0 10.1.10.0 255.255.255.248
native ident (addr/masks/prot/port): (DataSeg13/255.255.0.0/0/0)
distant ident (addr/masks/prot/port): (10.1.10.0/255.255.255.248/0/0)
current_peer: [SITE B PUBLIC WAN IP]
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts confirm: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs despatched: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC despatched: 0
#Legitimate ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#ship errors: 0, #recv errors: 0
native crypto endpt.: [IP of WAN INTERFACE OF ASA_ISP2]/500, distant crypto endpt.: [SITE B PUBLIC WAN IP]/500
path mtu 1500, ipsec overhead 74(44), media mtu 1500
PMTU time remaining (sec): 0, DF coverage: copy-df
ICMP error validation: disabled, TFC packets: disabled
present outbound spi: C00A8628
present inbound spi : 30B4CF8E
inbound esp sas:
spi: 0x30B4CF8E (817155982)
SA State: lively
remodel: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 247746560, crypto-map: ISP_2_WANInterface_map
sa timing: remaining key lifetime (kB/sec): (4147200/28771)
IV dimension: 16 bytes
replay detection assist: Y
Anti replay bitmap:
0x00000000 0x00000001
outbound esp sas:
spi: 0xC00A8628 (3221915176)
SA State: lively
remodel: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv2, }
slot: 0, conn_id: 247746560, crypto-map: ISP_2_WANInterface_map
sa timing: remaining key lifetime (kB/sec): (4008960/28771)
IV dimension: 16 bytes
replay detection assist: Y
Anti replay bitmap:
0x00000000 0x00000001