Ipsec vpn router to router

Unanswered Question
Mar 14th, 2008

We have site to site ipsec vpn its works fine but when i clear the isakmp peer its was clear.then i try to start interesting traffic again for initiating ipsec tunnel i found decaps/encaps packet with no errors but i dont see any qm_idle peer on sa status.also lifetime goes on.

is it bug ?

Best ragards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
irisrios Thu, 03/20/2008 - 07:13

If you don't see Qm_idle peer then it means phase 1 (Internet Security Association and Key Management Protocol [ISAKMP]) has not been properly negotiated and should be examined.

Manoj Wadhwa Fri, 03/21/2008 - 12:47


I encountered a similar issue too. The IPSec session does not show anything when you enter "show crypto isakmp sa" but still with "show crypto ipsec sa", you can see the packets being encap/ decap. If Phase 1 had not been negotiated properly, how come Phase 2 was negotiated ? Sounds more of bug ?

mbroberson1 Wed, 03/26/2008 - 17:40

I had the same issue viewing an sa today on a 3825 running "c3825-advipservicesk9-mz.124-19.bin". They have had several issues with very similar commands in recent versions such as with "sh crypto isakmp peers" and nothing showing up. I looked this particulay output command up and it was a bug. I would almost bet this too is a bug.

keshavnow Thu, 03/27/2008 - 23:31


How do you clear the tunnel?

I think you use the following commands to clear it

1)clear crypto isakmp

2)clear crypto sa

The issue will be seen when you execute clear crypto isakmp first and then clear crypto sa second

This is a wrong process:

First you have to execute

1)'clear crypto sa' - to clear sa counters

and then

2)'clear crypto isakmp'

The Reason is when you execute clear crypto isakmp - it will only clears the IKE and but not the SPI (present in sa counter) - will not be deleted,

Even you execute 'clear crypto sa' - SPI will remain same.

SPI will be removed when 'clear crypto sa' is done first and the command wont clears if it is executed second

Then if you initial traffic to establish tunnel , the ike will use the old spi - which is a invalid , because the consecutive SPI should be used and if it is used then tunnel will not be established,

You can see the encaps and decaps but tunnel wont be established



Whenever you clear the tunnel:

Please do the following steps:

1) clear crypto sa - which clear all sa counters

and then

2)execute 'clear crypto isakmp'

By mistake if did wrong,



1)no crypto isakmp enable in config mode

2)crypto isakmp enable in config mode

to reset the crypto


Kesavamurthy Palani


This Discussion