Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX - Isakmp SA

I have run into this a couple of times:

I am continuously setting up new pixes for a site-to-site VPN. (All remote sites connect to a PIX 525 at the central site). I'm using network management extensions and a RADIUS server. What happens is the VPN drops at a remote site and I am unable to re-establish the VPN tunnel. I've tried to clear the isakmp and IPSEC SAs, reloading the pix etc. I've noticed that a isakmp SA remains on the PIX 525 well after the tunnel drops. I'm only able to re-establish the VPN after the SA clears out of the 525. It sometimes takes 15 minutes or longer. I can't use the "clear crypto isakmp sa" command on the 525, because I have over 20 remote sites connecting to the same endpoint. Is there any way to clear a specific SA off a Pix? I know it's possible with a 2801 router. Has anyone experienced the same issue?




Re: PIX - Isakmp SA

Try "clear ipsec sa peer " or "clear crypto ipsec sa peer . But if it doesn't work, try clearing them via individual SPI.

- Issue "show ipsec sa", and check the session of peer "current_peer" you intend to disconnect.

- Look for its SPI under "current outbound spi:".

- Clear the session's SPI using "clear ipsec entry



New Member

Re: PIX - Isakmp SA

I tried clearing the ipsec sa peer, but it doesn't clear the isakmp sa on the main PIX. The only thing I got to work, was to clear the isakmp sa on the remote PIX and then temporarily disabling the vpnclient (no vpnclient enable) on the remote PIX and re-enabling it. This works....sometimes. I can't find any documentation which allows you to clear an isakmp sa by id. So I'm still searching and the problem still occurs.