Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5520 v7.2 - VPN site to site problem and clear command

Hi all,

I am getting some problems with a Site to Site VPN from the last two weeks. In some occasions it stops to send traffic through the VPN without any apparent reason. I have other VPNs that continue working fine. While it is failing I have run the command "show crypto isakmp sa" and I have found that I have two entries for the peer that is failing:

9 IKE Peer: x.x.x.x

Type: L2L Role: responder

Rekey: no State: AM_REKEY_DONE_H2

10 IKE Peer: x.x.x.x

Type: L2L Role: initiator

Rekey: yes State: MM_ACTIVE_REKEY

Any idea about what is happening?

On the other hand at the moment the only way to solve this has been using the command "clear crypto isakmp sa" but the problem is that this command clear all the entries and I lose the connectivity in all the other tunnels until the are established again. Is there any way to clear only the tunnel that has problems?

Regards, Fernando.

  • Other Security Subjects
3 REPLIES
Silver

Re: ASA 5520 v7.2 - VPN site to site problem and clear command

ISAKMP key will stay active if you use this command

New Member

Re: ASA 5520 v7.2 - VPN site to site problem and clear command

Hi Fernando,

Yes, you can use "clear crypto session remote x.x.x.x " to reset the tunnel.

This command allows you to clear both IKE and IPSec with a single command and you can specify remote peer IP address to clear only single tunnel.

HTH

MD

New Member

Re: ASA 5520 v7.2 - VPN site to site problem and clear command

Hi MD,

I have tried to use the command that you said but that option doesn't appear in my ASA.

asa# clear crypto ?

accelerator Clear accelerator statistics

ca Certification authority

ipsec Clear IPsec operational data

isakmp Clear ISAKMP operational data

protocol Clear protocol statistics

asa(config)# clear crypto ?

exec mode commands/options:

accelerator Clear accelerator statistics

ca Certification authority

ipsec Clear IPsec operational data

isakmp Clear ISAKMP operational data

protocol Clear protocol statistics

Do you know any other possibility?

On the other hand, do you know why I am having this issue?

Regards, Fernando.

772
Views
0
Helpful
3
Replies