Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Crypto Tunnel not restablishing

Hey Guys,

I have a number of 877s connecting to a VPN 3000 concentrator via ADSL internet circuits.

When the connection drops out, they do not restablish the crypto session automatically, it can take a few hours or not at all, until i "Clear crypto sa".

Is there some setting I can change to make the tunnel restablish quickly?


Re: Crypto Tunnel not restablishing


What version of software are you running on the 877's.

I had a problem with a bunch of 871's ended up being a bug in the vpn session. I don't remember the bug number but the IOS version I upgraded to seems to have fixed the problem.


I think this bug is in version T6 or T5 and below. I've included the the bug info that I had but don't have the bug ID number.

EasyVPN tunnel stuck in IPSECActive after Dialer interface flap

Symptoms: An EasyVPN tunnel may get stuck in an IPSEC_Active state after


dialer interface flap. The ISAKMP SA can get stuck in Config_XAuth state

after the dialer interface flaps:

show crypto isakmp sa


dst src state conn-id slot status CONF_XAUTH 2090 0 ACTIVE

Community Member

Re: Crypto Tunnel not restablishing

I know the SW revision is a bit old, but this place is in the middle of nowhere, kinda hoping I wouldnt have to upgrade, guess im going to have to.

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.3(14)YT, RELEASE SOFTWARE (fc1)

BBR-INET#show crypto isa sa

dst src state conn-id slot status

x.x.x.x y.y.y.y QM_IDLE 1020 0 ACTIVE

x.x.x.x y.y.y.y QM_IDLE 1018 0 ACTIVE

Hall of Fame Super Gold

Re: Crypto Tunnel not restablishing

This looks much like an issue we know very well except that in our case, no flap is necessary to get it stuck.

We ended running 12.4(9)T as nothing else had worked.

CreatePlease to create content