ASA 5520 v7.2 - VPN site to site problem and clear command

networkingib · ‎08-16-2007

Hi all,

I am getting some problems with a Site to Site VPN from the last two weeks. In some occasions it stops to send traffic through the VPN without any apparent reason. I have other VPNs that continue working fine. While it is failing I have run the command "show crypto isakmp sa" and I have found that I have two entries for the peer that is failing:

9 IKE Peer: x.x.x.x

Type: L2L Role: responder

Rekey: no State: AM_REKEY_DONE_H2

10 IKE Peer: x.x.x.x

Type: L2L Role: initiator

Rekey: yes State: MM_ACTIVE_REKEY

Any idea about what is happening?

On the other hand at the moment the only way to solve this has been using the command "clear crypto isakmp sa" but the problem is that this command clear all the entries and I lose the connectivity in all the other tunnels until the are established again. Is there any way to clear only the tunnel that has problems?

Regards, Fernando.

didyap · ‎08-22-2007

ISAKMP key will stay active if you use this command

msdesai · ‎08-22-2007

Hi Fernando,

Yes, you can use "clear crypto session remote x.x.x.x " to reset the tunnel.

This command allows you to clear both IKE and IPSec with a single command and you can specify remote peer IP address to clear only single tunnel.

HTH

MD

networkingib · ‎08-23-2007

Hi MD,

I have tried to use the command that you said but that option doesn't appear in my ASA.

asa# clear crypto ?

accelerator Clear accelerator statistics

ca Certification authority

ipsec Clear IPsec operational data

isakmp Clear ISAKMP operational data

protocol Clear protocol statistics

asa(config)# clear crypto ?

exec mode commands/options: