cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3099
Views
5
Helpful
2
Replies

clear crypto isakmp tunnel not coming back up

mahesh18
Level 6
Level 6

Hi Everyone,

I was testing IPSEC in Lab between 2 routers.

it was working fine

I ran the command

clear crypto isakmp on one side and ping the nei router but tunnel is not coming back uo.

I then ran same command on other side and did the ping to nei router still no tunnel shows there

On both sides i see

1811w#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

Buth IPSEC  phase shows active

1811w# sh crypto ipsec sa

interface: FastEthernet0

    Crypto map tag: VPN_MAP, local addr 192.168.99.1

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)

   current_peer 192.168.99.2 port 500

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 3765, #pkts encrypt: 3765, #pkts digest: 3765

    #pkts decaps: 3764, #pkts decrypt: 3764, #pkts verify: 3764

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 2, #recv errors 0

     local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0

     current outbound spi: 0x90EC4FE9(2431406057)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0xB5A39DEF(3047398895)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 181, flow_id: Onboard VPN:181, sibling_flags 80000046, crypto map: VPN_MAP

        sa timing: remaining key lifetime (k/sec): (4429521/2247)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x90EC4FE9(2431406057)

        transform: esp-des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 182, flow_id: Onboard VPN:182, sibling_flags 80000046, crypto map: VPN_MAP

        sa timing: remaining key lifetime (k/sec): (4429521/2247)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

If someone can please let me know that whats going on seems phase 1 is down and ipsec is up?

thanks

mahesh

1 Accepted Solution

Accepted Solutions

olpeleri
Cisco Employee
Cisco Employee

In the IOS implementation of Ikev1, Phase I and Phase II can live and die separately.

By Issueing clear crypto isakmp, you've cleared out the phase I. The Phase II will remain until expiration and wil recreate a new Phase I when Rekey will be required.

Show crypto session will show the session as UP-NO-IKE which is a normal state

On ASA, however, the implementation is slightly different since it use CCM [ Continuous Channel Mode]. In that case, if the phase I is going to be deleted. we delete as wel the phase II. [ And vice versa -  If the last P2 need to be deleted, we naturally delete the P1 as well.

I hope this answer your question.

Merry Xmas.

Olivier

View solution in original post

2 Replies 2

olpeleri
Cisco Employee
Cisco Employee

In the IOS implementation of Ikev1, Phase I and Phase II can live and die separately.

By Issueing clear crypto isakmp, you've cleared out the phase I. The Phase II will remain until expiration and wil recreate a new Phase I when Rekey will be required.

Show crypto session will show the session as UP-NO-IKE which is a normal state

On ASA, however, the implementation is slightly different since it use CCM [ Continuous Channel Mode]. In that case, if the phase I is going to be deleted. we delete as wel the phase II. [ And vice versa -  If the last P2 need to be deleted, we naturally delete the P1 as well.

I hope this answer your question.

Merry Xmas.

Olivier

Hi Olivier,

Many thanks i understand it right now.

Regards

Mahesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: