Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
412
Views
4
Helpful
3
Replies

VPN connection site to site

adriatikb
Level 1
Level 1

‎09-24-2009 08:08 AM - edited ‎02-21-2020 03:41 AM

hello all,

we have two sites which are connected site to site VPN. every thing is ok except when : router of branch reload VPN connection is not going to be UP. we have to remove Crypto map from main router and re put it again on interface in order to connect again that branch.

could you help what is problem.

attached you will find router configuration and debug information.

thanks in advance

Preview file
9 KB
0 Helpful
3 Replies 3

slmansfield
Level 4
Level 4

‎09-24-2009 09:49 AM

I would try to clear the ISAKMP and IPSEC connections to this remote site on the central site VPN router.

First check to see which connections belong to the specific remote site using the following commands:

router#show crypto isakmp sa

router#show crypto ipsec sa

The output of these commands will provide specific identifiers for you to use to selectively clear those ISAKMP and IPSEC connections to one remote site.

ISAKMP (Phase I)

router#clear crypto isakmp ?

<0 - 32766> connection id of SA

IPsec (Phase II)

router#clear crypto sa ?

counters Reset the SA counters

map Clear all SAs for a given crypto map

peer Clear all SAs for a given crypto peer

spi Clear SA by SPI

Here is the URL describing this and other common problems and how to troubleshoot them.

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#Solution2

HTH

0 Helpful

adriatikb
Level 1
Level 1
In response to slmansfield

‎09-24-2009 10:48 PM

thank you for your response,

i have tried to clear SA but didn't function.

what i have find this morning and seems to be a solution is command:

crypto isakmp invalid-spi-recovery

i still don't understand why but it is working after restart?

best regards

A.B.

0 Helpful

slmansfield
Level 4
Level 4
In response to adriatikb

‎09-25-2009 06:31 AM

Here is a URL describing the command you are using. I think it will answer your question and provide additional details about the command. HTH

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card