Re: Cisco ASA Ikev2 Site-to-Site UP-IDLE -state

RequestTimeOut · ‎11-02-2017

Hi,

I have one Ikev2 site-to-site tunnel which has been stuck in this state:

IKEv2 SAs:

Session-id:15, Status:UP-IDLE, IKE count:1, CHILD count:0

Tunnel-id Local Remote Status Role
1319195545 x.x.x.x/4500 y.y.y.y/4500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/1080711 sec

Active Time has passed the lifetime a long ago. 'clear crypto ikev2 sa' or 'clear ipsec sa peer y.y.y.y' won't terminate the tunnel. What can be done to terminate this tunnel? Rebooting the firewall isn't really a solution...

Flavio Miranda · ‎11-02-2017

Hi,

Those commands you issued only restart the tunnel.

Try this:

clear configure crypto map <map name> <sequence no>
clear configure tunnel-group < peer ip address>

-If I helped you somehow, please, rate it as useful.-

RequestTimeOut · ‎11-02-2017

@Flavio Miranda wrote:

Hi,

Those commands you issued only restart the tunnel.

Try this:

clear configure crypto map <map name> <sequence no>
clear configure tunnel-group < peer ip address>

-If I helped you somehow, please, rate it as useful.-

Hi,

actually I'm only trying to restart or even terminate the tunnel. I have also cleared the configuration but the tunnel is still up in this 'up-idle' -state.

IChatzikon · ‎11-03-2017

Issue the following command

clear crypto ikev2 sa <peer ip address>

BRgds

RequestTimeOut · ‎11-09-2017

This command didn't work either. I've tried it before, when I also tried this one:

clear crypto ikev2 sa

Ben Walters · ‎12-28-2017

Try clear crypto sessions or clear crypto sa peer <peer IP>