Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
268
Views
5
Helpful
2
Replies

vpn isakmp strange

shaila_rox
Level 1
Level 1

‎03-21-2007 11:37 PM

hi guys need ur help in this, i developed a simple site to site vpn between 2 routers on a serial link in my lab, i connected 1 pc to routerA eth 0 and other pc to routerB eth 0. now i ping from both ends and the tunnel established successfully ( i verified using sh cry isakmp sa, sh cry ipsec sa ) now i cleared isakmp by clear crypto isakmp on routerA and it got deleted check this

RA#sh crypto isakmp sa

dst src state conn-id slot status

11.0.0.1 11.0.0.2 MM_NO_STATE 1 0 ACTIVE (deleted)

now i thought that the tunnel is torn down, i again issued ping from 1 pc it got successful, so i checked again by sh cry isakmp sa but it was empty !!! i checked sh cry ipsec sa and it was still encaps the packets mean phase 2 tunnel was still up !! how is this possible after i terminated iskamp how is it possbile that phase2 tunnel is still up ??? plz tell me

thanks in advance

Labels:
0 Helpful
2 Replies 2

Jon Marshall
Hall of Fame
Hall of Fame

‎03-22-2007 01:09 AM

Hi

IF you want to tear the tunnel down completely you need

1) clear crypto isakmp sa

2) clear crypto ipsec sa

Tearing down the phase 1 connection will not necessarily tear down phase 2

HTH

Jon

shaila_rox
Level 1
Level 1
In response to Jon Marshall

‎03-23-2007 11:09 PM

thanks for the reply jon, can u also plz refer to a cisco doc which defines this problem ?

thanks again in advance

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents