Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Session not going down!

Hi,

I have a VPN session which is working good.

So some reason there was some trouble at some ISP between the two VPN peers and the packets are not passing between two VPN peers.

The ISP problem has been for more than 8 hrs, but my doubt is that, when I check the peer crypto session details, it is UP-ACTIVE now also.

Why the session is not going down once three keepalive packets are missed, and why not IPSec termination point not concludes that it has lot connectivity with its peer?

I have given the command:

crypto isakmp keepalive 30 periodic

crypto ipsec security-association lifetime seconds 86400

aaa#show cry session remote A.B.C.24 detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: GigabitEthernet0/1

Session status: UP-ACTIVE

Peer: A.B.C.24 port 500 fvrf: (none) ivrf: (none)

Desc: Tunnel toA.B.C.24 (AAA)

Phase1_id: A.B.C.24

IKE SA: local P.Q.R.1/500 remote A.B.C.24/500 Active

Capabilities:(none) connid:269 lifetime:21:53:23

IPSEC FLOW: permit ip 172.17.12.0/255.255.255.0 10.11.6.0/255.255.255.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 1254709 drop 1 life (KB/Sec) 4449894/78804

Outbound: #pkts enc'ed 1330421 drop 2989 life (KB/Sec) 4449877/78804

aaa#show cry isa sa

dst src state conn-id slot status

A.B.C.24 P.Q.R.1 QM_IDLE 269 0 ACTIVE

aaa#ping 10.11.6.18 source 172.17.12.11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.11.6.18, timeout is 2 seconds:

Packet sent with a source address of 172.17.12.11

.....

Success rate is 0 percent (0/5)

aaa#

aaa#ping A.B.C.24

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to A.B.C.24, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

aaa#

150
Views
0
Helpful
0
Replies
CreatePlease to create content