03-04-2008 01:54 AM - edited 03-09-2019 08:14 PM
Hi,
My new IPSec tunnel shows a constantly changing conn-id in show cryp is sa command:
sh cry is sa
dst src state conn-id slot status
192.168.1.1 172.16.1.1 QM_IDLE 141 0 ACTIVE
192.168.1.1 172.16.1.1 MM_NO_STATE 140 0 ACTIVE (deleted)
192.168.1.1 172.16.1.1 MM_NO_STATE 138 0 ACTIVE (deleted)
192.168.1.1 172.16.1.1 MM_NO_STATE 139 0 ACTIVE (deleted)
The 'QM_IDLE' is active for a few seconds, then is (deleted); a new 'QM_IDLE' comes up.
What could be the possible reason?
03-04-2008 04:09 AM
Very hard to say without more info, but it could well be a mis-match in the settings somewhere. Check your settings match at both ends. Try looking at the output of:
- deb crytpo isakmp
- deb crypto ipsec
03-04-2008 09:39 AM
IPSec sa's are there. Traffic goes through the tunnel, but lots of packet loss (about 10/%).
03-04-2008 01:25 PM
Hi,
Problem is solved by disabling cef and NetFlow.
Is this a bug?
03-05-2008 02:26 AM
It could be, what's at either end? What s/w version are they running? What's the set up; is it just a simple site-site VPN or are you using GRE as well?
03-05-2008 11:34 AM
The other end is ASA. I was using IOS c1841-advsecurityk9-mz.123-14.T7. Last night I changed to c1841-spservicesk9-mz.124-9.T7 and all working fine.
Thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: