Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

vpn isakmp strange

hi guys need ur help in this, i developed a simple site to site vpn between 2 routers on a serial link in my lab, i connected 1 pc to routerA eth 0 and other pc to routerB eth 0. now i ping from both ends and the tunnel established successfully ( i verified using sh cry isakmp sa, sh cry ipsec sa ) now i cleared isakmp by clear crypto isakmp on routerA and it got deleted check this

RA#sh crypto isakmp sa

dst src state conn-id slot status MM_NO_STATE 1 0 ACTIVE (deleted)

now i thought that the tunnel is torn down, i again issued ping from 1 pc it got successful, so i checked again by sh cry isakmp sa but it was empty !!! i checked sh cry ipsec sa and it was still encaps the packets mean phase 2 tunnel was still up !! how is this possible after i terminated iskamp how is it possbile that phase2 tunnel is still up ??? plz tell me

thanks in advance

Hall of Fame Super Blue

Re: vpn isakmp strange


IF you want to tear the tunnel down completely you need

1) clear crypto isakmp sa

2) clear crypto ipsec sa

Tearing down the phase 1 connection will not necessarily tear down phase 2



Community Member

Re: vpn isakmp strange

thanks for the reply jon, can u also plz refer to a cisco doc which defines this problem ?

thanks again in advance

CreatePlease to create content