Cuando vemos incrementarse el contador de send errors en la salida del comando "show crypto ipsec sa" una de las causas (en realidad, la única que conozco) es la ausencia de SA en el otro extremo.
Router#sh crypto ipsec sa peer 172.20.1.241
interface: FastEthernet0/0
Crypto map tag: banca, local addr. 172.20.1.244
protected vrf:
local ident (addr/mask/prot/port): (172.30.64.0/255.255.255.224/0/0)
remote ident (addr/mask/prot/port): (172.16.92.0/255.255.252.0/0/0)
current_peer: 172.20.1.241:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5614, #pkts encrypt: 5614, #pkts digest 5614
#pkts decaps: 4347, #pkts decrypt: 4347, #pkts verify 4347
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 216, #recv errors 0
local crypto endpt.: 172.20.1.244, remote crypto endpt.: 172.20.1.241
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: F9473A2C
inbound esp sas:
spi: 0x73AA97B0(1940559792)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5597, flow_id: 6669, crypto map: banca
sa timing: remaining key lifetime (k/sec): (4550261/721)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF9473A2C(4182194732)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 5598, flow_id: 6670, crypto map: banca
sa timing: remaining key lifetime (k/sec): (4550329/721)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Si al limpiar los tuneles, la SA se establece, una de las posibles causas puede ser que se haya alcanzado la cantidad maxima de tuneles en algunos de los extremos...
Router#sh crypto eli
Hardware Encryption Layer : ACTIVE
Number of crypto engines = 1 .
CryptoEngine-0 (slot-0) details.
Capability-IPSec : IPPCP, 3DES, AES, NoRSA
IKE-Session : 0 active, 150 max, 0 failed
DH-Key : 0 active, 150 max, 0 failed
IPSec-Session : 300 active, 300 max, 200437 failed
