cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

227
Views
0
Helpful
0
Replies
Highlighted
Beginner

decommissioned VTI VPN phase 1 still up.

hi guys.

 

I have HUB in head office and many small offices connected via DVTI VPN (IKEV2) to HUB.

yesterday one office DVTI IKEV1 (t5.1ko.org) was decommissioned (router power off and internet line has been removed), but I still see router t5's session. Weird thing is PHASE 1 (red bellow) record exists. PHASE 2 doesn't exist (blue bellow):

 

HUB

+++++++++++

gate#sh cry sess bri
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status
a.a.a.a Vi2 t1.1ko.org 21:29:29 UA
b.b.b.b Vi4 t2.1ko.org 1:24:27 UA
c.c.c.c Vi8 t3.1ko.org 13:12:45 UA
d.d.d.d Vi5 t4.1ko.org 0:19:36 UA

-= output ommited for briefly =-

e.e.e.e Vi10 t5.1ko.org UI

gate#

gate#sh cry ips sa pe e.e.e.e
gate#

gate#sh cry isa sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal
T - cTCP encapsulation, X - IKE Extended Authentication
psk - Preshared key, rsig - RSA signature
renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

2084 x.x.x.x e.e.e.e ACTIVE aes sha psk 24 04:04:38 DN
Engine-id:Conn-id = SW:40

IPv6 Crypto ISAKMP SA

gate#

+++++++++++

HUB has following configuration for peer t5.1ko.org

+++++++++++

gate#

crypto ipsec profile E.E.E.E-VPN-PROFILE
description -= RA DVTI VPN E.E.E.E peer =-
set security-association lifetime kilobytes 4294967295
set security-association lifetime seconds 86400
set transform-set E.E.E.E-TS-AES128
set pfs group24
set isakmp-profile E.E.E.E-IKE-PROFILE
responder-only

gate#

crypto isakmp profile E.E.E.E-IKE-PROFILE
keyring E.E.E.E-VPN-KEYS
match identity user-fqdn t5.1ko.org
keepalive 25 retry 3
virtual-template 2

+++++++++++

 

I've understand phase 1 is up till timer expires (red above)  but why keepalive  (marked blue above) doesn't trigger clear isakmp session to peers who is not responding at keepalives queries? Could somebody explain?

 

Thank you.

Everyone's tags (1)
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here