11-24-2006 04:16 PM - edited 02-21-2020 01:19 AM
I have run into this a couple of times:
I am continuously setting up new pixes for a site-to-site VPN. (All remote sites connect to a PIX 525 at the central site). I'm using network management extensions and a RADIUS server. What happens is the VPN drops at a remote site and I am unable to re-establish the VPN tunnel. I've tried to clear the isakmp and IPSEC SAs, reloading the pix etc. I've noticed that a isakmp SA remains on the PIX 525 well after the tunnel drops. I'm only able to re-establish the VPN after the SA clears out of the 525. It sometimes takes 15 minutes or longer. I can't use the "clear crypto isakmp sa" command on the 525, because I have over 20 remote sites connecting to the same endpoint. Is there any way to clear a specific SA off a Pix? I know it's possible with a 2801 router. Has anyone experienced the same issue?
Thanks,
Bill
11-26-2006 05:15 PM
Try "clear ipsec sa peer
- Issue "show ipsec sa", and check the session of peer "current_peer" you intend to disconnect.
- Look for its SPI under "current outbound spi:".
- Clear the session's SPI using "clear ipsec entry
HTH
AK
01-15-2007 03:37 PM
I tried clearing the ipsec sa peer, but it doesn't clear the isakmp sa on the main PIX. The only thing I got to work, was to clear the isakmp sa on the remote PIX and then temporarily disabling the vpnclient (no vpnclient enable) on the remote PIX and re-enabling it. This works....sometimes. I can't find any documentation which allows you to clear an isakmp sa by id. So I'm still searching and the problem still occurs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide