03-14-2008 01:30 AM - edited 02-21-2020 03:37 PM
We have site to site ipsec vpn its works fine but when i clear the isakmp peer its was clear.then i try to start interesting traffic again for initiating ipsec tunnel i found decaps/encaps packet with no errors but i dont see any qm_idle peer on sa status.also lifetime goes on.
is it bug ?
Best ragards
03-20-2008 07:13 AM
If you don't see Qm_idle peer then it means phase 1 (Internet Security Association and Key Management Protocol [ISAKMP]) has not been properly negotiated and should be examined.
03-21-2008 12:47 PM
Hi,
I encountered a similar issue too. The IPSec session does not show anything when you enter "show crypto isakmp sa" but still with "show crypto ipsec sa", you can see the packets being encap/ decap. If Phase 1 had not been negotiated properly, how come Phase 2 was negotiated ? Sounds more of bug ?
03-26-2008 05:40 PM
I had the same issue viewing an sa today on a 3825 running "c3825-advipservicesk9-mz.124-19.bin". They have had several issues with very similar commands in recent versions such as with "sh crypto isakmp peers" and nothing showing up. I looked this particulay output command up and it was a bug. I would almost bet this too is a bug.
03-27-2008 11:31 PM
Hi,
How do you clear the tunnel?
I think you use the following commands to clear it
1)clear crypto isakmp
2)clear crypto sa
The issue will be seen when you execute clear crypto isakmp first and then clear crypto sa second
This is a wrong process:
First you have to execute
1)'clear crypto sa' - to clear sa counters
and then
2)'clear crypto isakmp'
The Reason is when you execute clear crypto isakmp - it will only clears the IKE and but not the SPI (present in sa counter) - will not be deleted,
Even you execute 'clear crypto sa' - SPI will remain same.
SPI will be removed when 'clear crypto sa' is done first and the command wont clears if it is executed second
Then if you initial traffic to establish tunnel , the ike will use the old spi - which is a invalid , because the consecutive SPI should be used and if it is used then tunnel will not be established,
You can see the encaps and decaps but tunnel wont be established
Conclusion:
-------------
Whenever you clear the tunnel:
Please do the following steps:
1) clear crypto sa - which clear all sa counters
and then
2)execute 'clear crypto isakmp'
By mistake if did wrong,
then
execute
1)no crypto isakmp enable in config mode
2)crypto isakmp enable in config mode
to reset the crypto
Thanks,
Kesavamurthy Palani
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide