Re: Hi all,I faced the same issue

prashantrecon · ‎03-03-2012

Hi All

I am geeting the below error but still we are able to access the machine of far end.when i excute the show crypto isakmp sa

I am geeting error

IKE Peer: 195.x.x.x

Type : L2L Role : responder

Rekey : no State : MM_REKEY_DONE_H2

IKE Peer: 196.x.x.x

Type : L2L Role : responder

Rekey : yes State : MM_ACTIVE_REKEY

Note pfs is not enabled on both the side.

When i excuted the command clear crypto isakmp sa than it is displaying as MM_active.

Can anyone explain me the reason.

prashantrecon · ‎03-04-2012

Hi

Anyone faced this problem ?

davidfajumo · ‎02-04-2016

Hello All, This issue is usually caused by security-association lifetime Mismatch in phase 2.

Match the Security association from both end and you will be fine.

Clearing the crypto Ipsec and Isakmp is a temporary measure though

jaymin_thaker · ‎06-03-2015

Yes, I faced this issued..

I just bounce the phase 1 and it start work. I am not sure why this happen.

cisco# clear cry isa sa x.x.x.x

pradeep dhanasekaran · ‎07-07-2015

Hi all,

I faced the same issue today jaymin_thaker suggestion (cisco# clear cry isa sa x.x.x.x) worked out well.

gaoxuan864 · ‎08-13-2018

The same issue was happened in my envirement. At last I refered a cisco technology article and it is worked for two days . Link is here: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212478-configure-asa-virtual-tunnel-interfaces.html I think the key is how the device identify the same intresting traffic(src:0.0.0.0/0;dst:0.0.0.0/0) in ike rekey phase . So Cisco ASA device used the IPSec-Proposal of ikev2 protocal to solve it. I guess if I use "isakmp profile" in an ios device, possiblely it also works.

MM_REKEY_DONE_H2 and MM_ACTIVE_REKEY