Re: ASR1001-X || CRYPTO-6-ISAKMP_MANUAL_DELETE || Crypto Message

netops044 · ‎09-15-2017

Hi ,

We are running dynamic IPSEC VPN between spoke to DC .DC end IPSEC termination routers are ASR1001-X and spoke end ISR G2.

DC end routers are generating below logs message and someone help me to understand the same

Sep 14 18:06:53.014 IST: %CRYPTO-6-ISAKMP_MANUAL_DELETE: IKE SA manually deleted. Do 'clear crypto sa peer 172.16.13.182' to manually clear IPSec SA's covered by this IKE SA.
Sep 14 18:09:23.228 IST: %CRYPTO-6-ISAKMP_MANUAL_DELETE: IKE SA manually deleted. Do 'clear crypto sa peer 172.16.13.182' to manually clear IPSec SA's covered by this IKE SA.
Sep 14 18:10:05.760 IST: %CRYPTO-6-ISAKMP_MANUAL_DELETE: IKE SA manually deleted. Do 'clear crypto sa peer 172.16.13.182' to manually clear IPSec SA's covered by this IKE SA.

Thanks

Flavio Miranda · ‎09-15-2017

Hello,

This may be helpful:

Error Message    %CRYPTO-6-UNAVAILABLE: IKE SA manually deleted. Do 'clear crypto sa 
peer %s' to manually clear IPSec SA's covered by this IKE SA.

Explanation The IKE SA was deleted by user command. However, keepalives this connection are enabled, and IPSec SA's covered by this IKE SA still exist. Since this IKE SA is now deleted, these IPSec SA's have no IKE SA covering them. The recommended action is to manually delete this IPSec SA's.

netops044 · ‎09-17-2017

Thanks for update !!!

So this is informational message and no service impact notification on this . How to stop/avoid triggering the syslog message.

Thanks,

Flavio Miranda · ‎09-17-2017

As per the recommendation: clear crypto sa peer "Remote Peer"

Dave!!!!!! · ‎09-03-2020

Uh, no Flavio. That is not correct.