Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
0
Replies

IPsec session (Phase 2) hang. Cisco Secure Firewall (Firepower)

eduard.hoffmann
Frequent Visitor
Frequent Visitor

‎03-09-2025 04:49 AM

Hello colleagues,

I have experienced the IPsec (Phase 2) session hang issue several times with different clients.
Customers have been contacted with the problem that the tunnel is in an active state, but traffic is not passing through it.
Attempts to restart the tunnel with commands 'clear crypto ikev2 sa' and 'clear crypto ipsec sa'  didn't help.

In the process of Troubleshooting, I found the following - IPsec (Phase 2) session hung on one side. 
Even if you physically disconnect the interface through which the tunnel is established. Phase 2 session continues to hang.
To fix the problem, it was necessary to make changes to the tunnel configuration, for example, changing the address of the remote party. After applying these changes, the Phantom session would disappear.

It's easy to see if you're experiencing this problem.
Run 'show crypto ipsec sa' for and after 'clear crypto ipsec sa'.  
If you continue to see sessions with the same SPI, then you have encountered a similar problem.

It looks something like this:

> show crypto ipsec sa
interface: Outside
Crypto map tag: CSM_map, seq num: 2, local addr: 11.11.11.11
access-list CSM_IPSEC_ACL_1 extended permit ip 10.1.3.0 255.255.255.0 192.168.143.0 255.255.255.0
Protected vrf (ivrf):
local ident (addr/mask/prot/port): (10.1.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.143.0/255.255.255.0/0/0)
current_peer: 12.12.12.12
#pkts encaps: 111, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 34, #pkts decrypt: 0, #pkts verify: 0
current outbound spi: 24A9E57A
current inbound spi : E008A5C1

> clear crypto ipsec sa

> show crypto ipsec sa
interface: Outside
Crypto map tag: CSM_map, seq num: 2, local addr: 11.11.11.11
access-list CSM_IPSEC_ACL_1 extended permit ip 10.1.3.0 255.255.255.0 192.168.143.0 255.255.255.0
Protected vrf (ivrf):
local ident (addr/mask/prot/port): (10.1.3.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.143.0/255.255.255.0/0/0)
current_peer: 12.12.12.12
#pkts encaps: 231, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 34, #pkts decrypt: 0, #pkts verify: 0
current outbound spi: 24A9E57A
current inbound spi : E008A5C1

I've encountered this problem on:
- Standalone and HA System
- Route Based and Policy Based IPsec
- IKEv2
- Firepower 3100 and 2100
- v 7.2.8 and v 7.4.2.1

I haven't noticed any specific pattern of what causes this problem. I have opened two TAC cases on this issue, but no results were obtained.
If anyone has encountered or will encounter a similar problem, please post in this thread. Maybe this will motivate Cisco to open a Bug-case

 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card