Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Status=MM_NO_STATE but GRE tunnel Stuck on UP-UP why?

Hi every one, i have strange problem with my vpn connections,we are using GRE over IPSEC in our branches. some time in some branches for some odd reason when i do show crypto isakmp sa i see lots of MM_NO_STATE and ACTIVE (not deleted) and when i shut my GRE tunnel and again no shut it or do clear crypto isakmp,it became QM_IDLE and every thing works fine,but in that situation (MM_NO_STATE) my GRE tunnel stucks on UP_UP state even i have configured keepalive for my GRE tunnel and for my ISAKMP. i couldnt find why some times ISAKMP stays in MM_NO_STATE(even every thing is ok)  but i want to bring down the GRE tunnel when ISAKMP is not QM_IDLE? thanks

NOTICE:the vpn works fine for example for 1 day and then this problem happens and then i have to shut and no shut the gre tunnel

THIS is branch vpn configuration :

crypto isakmp policy 1
encr 3des
group 2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 20 periodic
!
crypto ipsec security-association replay window-size 1024
!
crypto ipsec transform-set TRANS esp-3des esp-sha-hmac
!
crypto ipsec profile SEC
set transform-set TRANS
!
!
interface Tunnel520
ip unnumbered Loopback0
no ip redirects
no ip proxy-arp
ip mtu 1400
qos pre-classify
keepalive 20 3
tunnel source X.X.X.X
tunnel destination Y.Y.Y.Y
tunnel mode ipsec ipv4
tunnel protection ipsec profile SEC

THIS is when error happens:

#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE
Y.Y.Y.Y      X.X.X.X        MM_NO_STATE          0    0 ACTIVE

1 REPLY
Cisco Employee

Re: VPN Status=MM_NO_STATE but GRE tunnel Stuck on UP-UP why?

Hi,

Are you aware of this security notice about IKE:

http://www.cisco.com/warp/public/707/cisco-sa-20090923-ipsec.shtml

HTH

Laurent.

4924
Views
0
Helpful
1
Replies
CreatePlease to create content