cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12923
Views
9
Helpful
5
Replies

MM_REKEY_DONE_H2 and MM_ACTIVE_REKEY

prashantrecon
Level 1
Level 1

Hi All

I am geeting the below  error but still we are able to access the machine of far end.when i excute the show crypto isakmp sa

I am geeting error

   IKE Peer: 195.x.x.x

    Type    : L2L             Role    : responder

    Rekey   : no              State   : MM_REKEY_DONE_H2

  IKE Peer: 196.x.x.x

    Type    : L2L             Role    : responder

    Rekey   : yes             State   : MM_ACTIVE_REKEY

Note pfs is not enabled on both the side.

When i excuted the command clear crypto isakmp sa than it is displaying as MM_active.

Can anyone explain me the reason.

5 Replies 5

prashantrecon
Level 1
Level 1

Hi

Anyone faced this problem ?

Hello All, This issue is usually caused by security-association lifetime Mismatch in phase 2.

Match the Security association from both end  and you will be fine.

Clearing the crypto Ipsec and Isakmp is a temporary measure though

jaymin_thaker
Level 1
Level 1

Yes, I faced this issued..

I just bounce the phase 1 and it start work. I am not sure why this happen.

cisco# clear cry isa sa x.x.x.x

Hi all,

I faced the same issue today jaymin_thaker  suggestion (cisco# clear cry isa sa x.x.x.x) worked out well.

The same issue was happened in my envirement. At last I refered a cisco technology article and it is worked for two days . Link is here: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-firewalls/212478-configure-asa-virtual-tunnel-interfaces.html I think the key is how the device identify the same intresting traffic(src:0.0.0.0/0;dst:0.0.0.0/0) in ike rekey phase . So Cisco ASA device used the IPSec-Proposal of ikev2 protocal to solve it. I guess if I use "isakmp profile" in an ios device, possiblely it also works.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: