Certain SA is weeks old and cannot be removed

john-serink · ‎01-18-2021

Hello All:

My platform:

Cisco IOS XE Software, Version 16.12.04
Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.4, RELEASE SOFTWARE (fc5)

cisco ISR4431/K9 (1RU) processor with 1694893K/6147K bytes of memory.
Processor board ID FGL2404LMN6
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
6598655K bytes of flash memory at bootflash:.

ok, check this out:

CCrouter#sh crypto session br | grep CORS23
117.234.102.74 Gi0/0/0 CORS23 03:16:58 UA
132.154.30.79 Gi0/0/0 CORS23 3w6d DN

I have tried the following on the DN SA:

clear crypto session remote 132.154.30.79

clear crypto ikev2 sa remote 132.154.30.79

and:

clear crypto ikev2 sa

And it just won't go away.

I have a second one that is a week old that is doing exactly the same thing.

I do I get the Cisco to dump that old SA?

The remote routers are Digi WR21 units.

Cheers,

john

Mohammed al Baqari · ‎01-18-2021

Hi,

There was a known bug of staled SAs but not sure which version it is. It
seems to be the case here. Just to confirm, if you disable the vpn on the
digi unit, are you able to delete the SA or not.

***** please remember to rate useful posts

john-serink · ‎01-19-2021

If the Digi disappears, the SA remains.

The new Digi SA disappears but that old one remains.

I have another site doing the same thing.

Cheers,

john

Mohammed al Baqari · ‎01-19-2021

Understood. Then its most likely a bug. Try to change IOS-XE version or
open a TAC case to recommend one.

**** please remember to rate useful posts