ISAKMP SA Conn-id Constantly Changing

Chuan Liu · ‎03-04-2008

Hi,

My new IPSec tunnel shows a constantly changing conn-id in show cryp is sa command:

sh cry is sa

dst src state conn-id slot status

192.168.1.1 172.16.1.1 QM_IDLE 141 0 ACTIVE

192.168.1.1 172.16.1.1 MM_NO_STATE 140 0 ACTIVE (deleted)

192.168.1.1 172.16.1.1 MM_NO_STATE 138 0 ACTIVE (deleted)

192.168.1.1 172.16.1.1 MM_NO_STATE 139 0 ACTIVE (deleted)

The 'QM_IDLE' is active for a few seconds, then is (deleted); a new 'QM_IDLE' comes up.

What could be the possible reason?

cleidh_mor · ‎03-04-2008

Very hard to say without more info, but it could well be a mis-match in the settings somewhere. Check your settings match at both ends. Try looking at the output of:

- deb crytpo isakmp

- deb crypto ipsec

Chuan Liu · ‎03-04-2008

IPSec sa's are there. Traffic goes through the tunnel, but lots of packet loss (about 10/%).

Chuan Liu · ‎03-04-2008

Hi,

Problem is solved by disabling cef and NetFlow.

Is this a bug?

cleidh_mor · ‎03-05-2008

It could be, what's at either end? What s/w version are they running? What's the set up; is it just a simple site-site VPN or are you using GRE as well?

Chuan Liu · ‎03-05-2008

The other end is ASA. I was using IOS c1841-advsecurityk9-mz.123-14.T7. Last night I changed to c1841-spservicesk9-mz.124-9.T7 and all working fine.

Thanks.