03-04-2008 01:54 AM - edited 03-09-2019 08:14 PM
Hi,
My new IPSec tunnel shows a constantly changing conn-id in show cryp is sa command:
sh cry is sa
dst src state conn-id slot status
192.168.1.1 172.16.1.1 QM_IDLE 141 0 ACTIVE
192.168.1.1 172.16.1.1 MM_NO_STATE 140 0 ACTIVE (deleted)
192.168.1.1 172.16.1.1 MM_NO_STATE 138 0 ACTIVE (deleted)
192.168.1.1 172.16.1.1 MM_NO_STATE 139 0 ACTIVE (deleted)
The 'QM_IDLE' is active for a few seconds, then is (deleted); a new 'QM_IDLE' comes up.
What could be the possible reason?
03-04-2008 04:09 AM
Very hard to say without more info, but it could well be a mis-match in the settings somewhere. Check your settings match at both ends. Try looking at the output of:
- deb crytpo isakmp
- deb crypto ipsec
03-04-2008 09:39 AM
IPSec sa's are there. Traffic goes through the tunnel, but lots of packet loss (about 10/%).
03-04-2008 01:25 PM
Hi,
Problem is solved by disabling cef and NetFlow.
Is this a bug?
03-05-2008 02:26 AM
It could be, what's at either end? What s/w version are they running? What's the set up; is it just a simple site-site VPN or are you using GRE as well?
03-05-2008 11:34 AM
The other end is ASA. I was using IOS c1841-advsecurityk9-mz.123-14.T7. Last night I changed to c1841-spservicesk9-mz.124-9.T7 and all working fine.
Thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide