09-24-2009 08:08 AM - edited 02-21-2020 03:41 AM
hello all,
we have two sites which are connected site to site VPN. every thing is ok except when : router of branch reload VPN connection is not going to be UP. we have to remove Crypto map from main router and re put it again on interface in order to connect again that branch.
could you help what is problem.
attached you will find router configuration and debug information.
thanks in advance
09-24-2009 09:49 AM
I would try to clear the ISAKMP and IPSEC connections to this remote site on the central site VPN router.
First check to see which connections belong to the specific remote site using the following commands:
router#show crypto isakmp sa
router#show crypto ipsec sa
The output of these commands will provide specific identifiers for you to use to selectively clear those ISAKMP and IPSEC connections to one remote site.
ISAKMP (Phase I)
router#clear crypto isakmp ?
<0 - 32766> connection id of SA
IPsec (Phase II)
router#clear crypto sa ?
counters Reset the SA counters
map Clear all SAs for a given crypto map
peer Clear all SAs for a given crypto peer
spi Clear SA by SPI
Here is the URL describing this and other common problems and how to troubleshoot them.
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution2
HTH
09-24-2009 10:48 PM
thank you for your response,
i have tried to clear SA but didn't function.
what i have find this morning and seems to be a solution is command:
crypto isakmp invalid-spi-recovery
i still don't understand why but it is working after restart?
best regards
A.B.
09-25-2009 06:31 AM
Here is a URL describing the command you are using. I think it will answer your question and provide additional details about the command. HTH
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide