12-22-2012 08:27 AM
Hi Everyone,
I was testing IPSEC in Lab between 2 routers.
it was working fine
I ran the command
clear crypto isakmp on one side and ping the nei router but tunnel is not coming back uo.
I then ran same command on other side and did the ping to nei router still no tunnel shows there
On both sides i see
1811w#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Buth IPSEC phase shows active
1811w# sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: VPN_MAP, local addr 192.168.99.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3765, #pkts encrypt: 3765, #pkts digest: 3765
#pkts decaps: 3764, #pkts decrypt: 3764, #pkts verify: 3764
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x90EC4FE9(2431406057)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB5A39DEF(3047398895)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 181, flow_id: Onboard VPN:181, sibling_flags 80000046, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4429521/2247)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x90EC4FE9(2431406057)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 182, flow_id: Onboard VPN:182, sibling_flags 80000046, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4429521/2247)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
If someone can please let me know that whats going on seems phase 1 is down and ipsec is up?
thanks
mahesh
Solved! Go to Solution.
12-23-2012 02:14 AM
In the IOS implementation of Ikev1, Phase I and Phase II can live and die separately.
By Issueing clear crypto isakmp, you've cleared out the phase I. The Phase II will remain until expiration and wil recreate a new Phase I when Rekey will be required.
Show crypto session will show the session as UP-NO-IKE which is a normal state
On ASA, however, the implementation is slightly different since it use CCM [ Continuous Channel Mode]. In that case, if the phase I is going to be deleted. we delete as wel the phase II. [ And vice versa - If the last P2 need to be deleted, we naturally delete the P1 as well.
I hope this answer your question.
Merry Xmas.
Olivier
12-23-2012 02:14 AM
In the IOS implementation of Ikev1, Phase I and Phase II can live and die separately.
By Issueing clear crypto isakmp, you've cleared out the phase I. The Phase II will remain until expiration and wil recreate a new Phase I when Rekey will be required.
Show crypto session will show the session as UP-NO-IKE which is a normal state
On ASA, however, the implementation is slightly different since it use CCM [ Continuous Channel Mode]. In that case, if the phase I is going to be deleted. we delete as wel the phase II. [ And vice versa - If the last P2 need to be deleted, we naturally delete the P1 as well.
I hope this answer your question.
Merry Xmas.
Olivier
12-23-2012 08:12 AM
Hi Olivier,
Many thanks i understand it right now.
Regards
Mahesh
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: