VPN session is up-no-ike

Unanswered Question
Mar 27th, 2010
User Badges:


A VPN session in my VPN router is showing "UP-NO-IKE". I have to clear VPN session or the remote end VPN reset its IPsec.

What could be the possible that makes this session status "UP-NO-IKE"?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jennifer Halim Sat, 03/27/2010 - 21:23
User Badges:
  • Cisco Employee,

Do you mean with the "UP-NO-IKE" status, you are not able to pass any traffic until you clear the SA and/or reset the remote peer?

What does the status of "show crypto isa sa" and "show crypto ipsec sa" show when you see "UP-NO-IKE"?

zhiqiang.yan Sun, 03/28/2010 - 07:08
User Badges:

Yes, no data can pass until reset.

Nothing shows in "show crypto isakmp sa". I did not check "show crypto ipsec sa",but since I can see the IPSEC Flow in "show crypto session", I think it should be able to see the spi and just no enc/dec data.

There is a ICMP montoring from our end to remote end, when phase 1 expire, it should be reset by this icmp traff

Jennifer Halim Sun, 03/28/2010 - 16:43
User Badges:
  • Cisco Employee,

If you can't pass traffic, seems like there are SAs mismatched between this site and others, ie: this site might have had the SAs cleared, while remote sites are still sending data on the old SAs. Not until you clear or reset the SA on remote sites, it started to negotiate for the new SAs.

jazzlim2004 Wed, 12/08/2010 - 17:17
User Badges:

Hi halijenn,

You are right on this.( i also encountered such problem) Is there any command to auto detect and clear old SA without manual reset?

Thank you


This Discussion