vpn isakmp strange

Unanswered Question
Mar 21st, 2007
User Badges:

hi guys need ur help in this, i developed a simple site to site vpn between 2 routers on a serial link in my lab, i connected 1 pc to routerA eth 0 and other pc to routerB eth 0. now i ping from both ends and the tunnel established successfully ( i verified using sh cry isakmp sa, sh cry ipsec sa ) now i cleared isakmp by clear crypto isakmp on routerA and it got deleted check this

RA#sh crypto isakmp sa

dst src state conn-id slot status

11.0.0.1 11.0.0.2 MM_NO_STATE 1 0 ACTIVE (deleted)

now i thought that the tunnel is torn down, i again issued ping from 1 pc it got successful, so i checked again by sh cry isakmp sa but it was empty !!! i checked sh cry ipsec sa and it was still encaps the packets mean phase 2 tunnel was still up !! how is this possible after i terminated iskamp how is it possbile that phase2 tunnel is still up ??? plz tell me

thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jon Marshall Thu, 03/22/2007 - 01:09
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


IF you want to tear the tunnel down completely you need


1) clear crypto isakmp sa

2) clear crypto ipsec sa


Tearing down the phase 1 connection will not necessarily tear down phase 2


HTH


Jon

shaila_rox Fri, 03/23/2007 - 23:09
User Badges:

thanks for the reply jon, can u also plz refer to a cisco doc which defines this problem ?

thanks again in advance

Actions

This Discussion