Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
464
Views
0
Helpful
4
Replies

Ipsec vpn router to router

tdorduncu
Level 1
Level 1

‎03-14-2008 01:30 AM - edited ‎02-21-2020 03:37 PM

We have site to site ipsec vpn its works fine but when i clear the isakmp peer its was clear.then i try to start interesting traffic again for initiating ipsec tunnel i found decaps/encaps packet with no errors but i dont see any qm_idle peer on sa status.also lifetime goes on.

is it bug ?

Best ragards

Labels:
0 Helpful
4 Replies 4

irisrios
Level 6
Level 6

‎03-20-2008 07:13 AM

If you don't see Qm_idle peer then it means phase 1 (Internet Security Association and Key Management Protocol [ISAKMP]) has not been properly negotiated and should be examined.

0 Helpful

Manoj Wadhwa
Level 1
Level 1
In response to irisrios

‎03-21-2008 12:47 PM

Hi,

I encountered a similar issue too. The IPSec session does not show anything when you enter "show crypto isakmp sa" but still with "show crypto ipsec sa", you can see the packets being encap/ decap. If Phase 1 had not been negotiated properly, how come Phase 2 was negotiated ? Sounds more of bug ?

0 Helpful

mbroberson1
Level 3
Level 3
In response to Manoj Wadhwa

‎03-26-2008 05:40 PM

I had the same issue viewing an sa today on a 3825 running "c3825-advipservicesk9-mz.124-19.bin". They have had several issues with very similar commands in recent versions such as with "sh crypto isakmp peers" and nothing showing up. I looked this particulay output command up and it was a bug. I would almost bet this too is a bug.

0 Helpful

keshavnow
Level 1
Level 1

‎03-27-2008 11:31 PM

Hi,

How do you clear the tunnel?

I think you use the following commands to clear it

1)clear crypto isakmp

2)clear crypto sa

The issue will be seen when you execute clear crypto isakmp first and then clear crypto sa second

This is a wrong process:

First you have to execute

1)'clear crypto sa' - to clear sa counters

and then

2)'clear crypto isakmp'

The Reason is when you execute clear crypto isakmp - it will only clears the IKE and but not the SPI (present in sa counter) - will not be deleted,

Even you execute 'clear crypto sa' - SPI will remain same.

SPI will be removed when 'clear crypto sa' is done first and the command wont clears if it is executed second

Then if you initial traffic to establish tunnel , the ike will use the old spi - which is a invalid , because the consecutive SPI should be used and if it is used then tunnel will not be established,

You can see the encaps and decaps but tunnel wont be established

Conclusion:

-------------

Whenever you clear the tunnel:

Please do the following steps:

1) clear crypto sa - which clear all sa counters

and then

2)execute 'clear crypto isakmp'

By mistake if did wrong,

then

execute

1)no crypto isakmp enable in config mode

2)crypto isakmp enable in config mode

to reset the crypto

Thanks,

Kesavamurthy Palani

0 Helpful
Customers Also Viewed These Support Documents