ISAKMP SA Conn-id Constantly Changing

Unanswered Question
Mar 4th, 2008


My new IPSec tunnel shows a constantly changing conn-id in show cryp is sa command:

sh cry is sa

dst src state conn-id slot status QM_IDLE 141 0 ACTIVE MM_NO_STATE 140 0 ACTIVE (deleted) MM_NO_STATE 138 0 ACTIVE (deleted) MM_NO_STATE 139 0 ACTIVE (deleted)

The 'QM_IDLE' is active for a few seconds, then is (deleted); a new 'QM_IDLE' comes up.

What could be the possible reason?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cleidh_mor Tue, 03/04/2008 - 04:09

Very hard to say without more info, but it could well be a mis-match in the settings somewhere. Check your settings match at both ends. Try looking at the output of:

- deb crytpo isakmp

- deb crypto ipsec

Chuan Liu Tue, 03/04/2008 - 09:39

IPSec sa's are there. Traffic goes through the tunnel, but lots of packet loss (about 10/%).

Chuan Liu Tue, 03/04/2008 - 13:25


Problem is solved by disabling cef and NetFlow.

Is this a bug?

cleidh_mor Wed, 03/05/2008 - 02:26

It could be, what's at either end? What s/w version are they running? What's the set up; is it just a simple site-site VPN or are you using GRE as well?

Chuan Liu Wed, 03/05/2008 - 11:34

The other end is ASA. I was using IOS c1841-advsecurityk9-mz.123-14.T7. Last night I changed to c1841-spservicesk9-mz.124-9.T7 and all working fine.



This Discussion