Solved: clear crypto isakmp tunnel not coming back up

mahesh18 · ‎12-22-2012

Hi Everyone,

I was testing IPSEC in Lab between 2 routers.

it was working fine

I ran the command

clear crypto isakmp on one side and ping the nei router but tunnel is not coming back uo.

I then ran same command on other side and did the ping to nei router still no tunnel shows there

On both sides i see

1811w#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

IPv6 Crypto ISAKMP SA

Buth IPSEC phase shows active

1811w# sh crypto ipsec sa

interface: FastEthernet0

Crypto map tag: VPN_MAP, local addr 192.168.99.1

protected vrf: (none)

local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

current_peer 192.168.99.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 3765, #pkts encrypt: 3765, #pkts digest: 3765

#pkts decaps: 3764, #pkts decrypt: 3764, #pkts verify: 3764

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 2, #recv errors 0

local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

current outbound spi: 0x90EC4FE9(2431406057)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0xB5A39DEF(3047398895)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 181, flow_id: Onboard VPN:181, sibling_flags 80000046, crypto map: VPN_MAP

sa timing: remaining key lifetime (k/sec): (4429521/2247)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x90EC4FE9(2431406057)

transform: esp-des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 182, flow_id: Onboard VPN:182, sibling_flags 80000046, crypto map: VPN_MAP

sa timing: remaining key lifetime (k/sec): (4429521/2247)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

If someone can please let me know that whats going on seems phase 1 is down and ipsec is up?

thanks

mahesh

olpeleri · ‎12-23-2012

In the IOS implementation of Ikev1, Phase I and Phase II can live and die separately.

By Issueing clear crypto isakmp, you've cleared out the phase I. The Phase II will remain until expiration and wil recreate a new Phase I when Rekey will be required.

Show crypto session will show the session as UP-NO-IKE which is a normal state

On ASA, however, the implementation is slightly different since it use CCM [ Continuous Channel Mode]. In that case, if the phase I is going to be deleted. we delete as wel the phase II. [ And vice versa - If the last P2 need to be deleted, we naturally delete the P1 as well.

I hope this answer your question.

Merry Xmas.

Olivier

View solution in original post

olpeleri · ‎12-23-2012

In the IOS implementation of Ikev1, Phase I and Phase II can live and die separately.

By Issueing clear crypto isakmp, you've cleared out the phase I. The Phase II will remain until expiration and wil recreate a new Phase I when Rekey will be required.

Show crypto session will show the session as UP-NO-IKE which is a normal state

On ASA, however, the implementation is slightly different since it use CCM [ Continuous Channel Mode]. In that case, if the phase I is going to be deleted. we delete as wel the phase II. [ And vice versa - If the last P2 need to be deleted, we naturally delete the P1 as well.

I hope this answer your question.

Merry Xmas.

Olivier

mahesh18 · ‎12-23-2012

Hi Olivier,

Many thanks i understand it right now.

Regards

Mahesh