Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISAKMP SA Conn-id Constantly Changing

Hi,

My new IPSec tunnel shows a constantly changing conn-id in show cryp is sa command:

sh cry is sa

dst src state conn-id slot status

192.168.1.1 172.16.1.1 QM_IDLE 141 0 ACTIVE

192.168.1.1 172.16.1.1 MM_NO_STATE 140 0 ACTIVE (deleted)

192.168.1.1 172.16.1.1 MM_NO_STATE 138 0 ACTIVE (deleted)

192.168.1.1 172.16.1.1 MM_NO_STATE 139 0 ACTIVE (deleted)

The 'QM_IDLE' is active for a few seconds, then is (deleted); a new 'QM_IDLE' comes up.

What could be the possible reason?

5 REPLIES
New Member

Re: ISAKMP SA Conn-id Constantly Changing

Very hard to say without more info, but it could well be a mis-match in the settings somewhere. Check your settings match at both ends. Try looking at the output of:

- deb crytpo isakmp

- deb crypto ipsec

New Member

Re: ISAKMP SA Conn-id Constantly Changing

IPSec sa's are there. Traffic goes through the tunnel, but lots of packet loss (about 10/%).

New Member

Re: ISAKMP SA Conn-id Constantly Changing

Hi,

Problem is solved by disabling cef and NetFlow.

Is this a bug?

New Member

Re: ISAKMP SA Conn-id Constantly Changing

It could be, what's at either end? What s/w version are they running? What's the set up; is it just a simple site-site VPN or are you using GRE as well?

New Member

Re: ISAKMP SA Conn-id Constantly Changing

The other end is ASA. I was using IOS c1841-advsecurityk9-mz.123-14.T7. Last night I changed to c1841-spservicesk9-mz.124-9.T7 and all working fine.

Thanks.

166
Views
0
Helpful
5
Replies