PIX - Isakmp SA

noahsark · ‎11-24-2006

I have run into this a couple of times:

I am continuously setting up new pixes for a site-to-site VPN. (All remote sites connect to a PIX 525 at the central site). I'm using network management extensions and a RADIUS server. What happens is the VPN drops at a remote site and I am unable to re-establish the VPN tunnel. I've tried to clear the isakmp and IPSEC SAs, reloading the pix etc. I've noticed that a isakmp SA remains on the PIX 525 well after the tunnel drops. I'm only able to re-establish the VPN after the SA clears out of the 525. It sometimes takes 15 minutes or longer. I can't use the "clear crypto isakmp sa" command on the 525, because I have over 20 remote sites connecting to the same endpoint. Is there any way to clear a specific SA off a Pix? I know it's possible with a 2801 router. Has anyone experienced the same issue?

Thanks,

Bill

a.kiprawih · ‎11-26-2006

Try "clear ipsec sa peer " or "clear crypto ipsec sa peer . But if it doesn't work, try clearing them via individual SPI.

http://www.cisco.com/en/US/customer/products/ps6120/products_command_reference_chapter09186a008063f0de.html#wp2037443

- Issue "show ipsec sa", and check the session of peer "current_peer" you intend to disconnect.

- Look for its SPI under "current outbound spi:".

- Clear the session's SPI using "clear ipsec entry

HTH

AK

noahsark · ‎01-15-2007

I tried clearing the ipsec sa peer, but it doesn't clear the isakmp sa on the main PIX. The only thing I got to work, was to clear the isakmp sa on the remote PIX and then temporarily disabling the vpnclient (no vpnclient enable) on the remote PIX and re-enabling it. This works....sometimes. I can't find any documentation which allows you to clear an isakmp sa by id. So I'm still searching and the problem still occurs.