Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Ipsec vpn router to router

We have site to site ipsec vpn its works fine but when i clear the isakmp peer its was clear.then i try to start interesting traffic again for initiating ipsec tunnel i found decaps/encaps packet with no errors but i dont see any qm_idle peer on sa status.also lifetime goes on.

is it bug ?

Best ragards

4 REPLIES
Silver

Re: Ipsec vpn router to router

If you don't see Qm_idle peer then it means phase 1 (Internet Security Association and Key Management Protocol [ISAKMP]) has not been properly negotiated and should be examined.

New Member

Re: Ipsec vpn router to router

Hi,

I encountered a similar issue too. The IPSec session does not show anything when you enter "show crypto isakmp sa" but still with "show crypto ipsec sa", you can see the packets being encap/ decap. If Phase 1 had not been negotiated properly, how come Phase 2 was negotiated ? Sounds more of bug ?

New Member

Re: Ipsec vpn router to router

I had the same issue viewing an sa today on a 3825 running "c3825-advipservicesk9-mz.124-19.bin". They have had several issues with very similar commands in recent versions such as with "sh crypto isakmp peers" and nothing showing up. I looked this particulay output command up and it was a bug. I would almost bet this too is a bug.

New Member

Re: Ipsec vpn router to router

Hi,

How do you clear the tunnel?

I think you use the following commands to clear it

1)clear crypto isakmp

2)clear crypto sa

The issue will be seen when you execute clear crypto isakmp first and then clear crypto sa second

This is a wrong process:

First you have to execute

1)'clear crypto sa' - to clear sa counters

and then

2)'clear crypto isakmp'

The Reason is when you execute clear crypto isakmp - it will only clears the IKE and but not the SPI (present in sa counter) - will not be deleted,

Even you execute 'clear crypto sa' - SPI will remain same.

SPI will be removed when 'clear crypto sa' is done first and the command wont clears if it is executed second

Then if you initial traffic to establish tunnel , the ike will use the old spi - which is a invalid , because the consecutive SPI should be used and if it is used then tunnel will not be established,

You can see the encaps and decaps but tunnel wont be established

Conclusion:

-------------

Whenever you clear the tunnel:

Please do the following steps:

1) clear crypto sa - which clear all sa counters

and then

2)execute 'clear crypto isakmp'

By mistake if did wrong,

then

execute

1)no crypto isakmp enable in config mode

2)crypto isakmp enable in config mode

to reset the crypto

Thanks,

Kesavamurthy Palani

190
Views
0
Helpful
4
Replies
CreatePlease to create content