12-22-2012 08:27 AM
Hi Everyone,
I was testing IPSEC in Lab between 2 routers.
it was working fine
I ran the command
clear crypto isakmp on one side and ping the nei router but tunnel is not coming back uo.
I then ran same command on other side and did the ping to nei router still no tunnel shows there
On both sides i see
1811w#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
Buth IPSEC phase shows active
1811w# sh crypto ipsec sa
interface: FastEthernet0
Crypto map tag: VPN_MAP, local addr 192.168.99.1
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.99.0/255.255.255.0/0/0)
current_peer 192.168.99.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 3765, #pkts encrypt: 3765, #pkts digest: 3765
#pkts decaps: 3764, #pkts decrypt: 3764, #pkts verify: 3764
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 192.168.99.1, remote crypto endpt.: 192.168.99.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0x90EC4FE9(2431406057)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xB5A39DEF(3047398895)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 181, flow_id: Onboard VPN:181, sibling_flags 80000046, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4429521/2247)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x90EC4FE9(2431406057)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 182, flow_id: Onboard VPN:182, sibling_flags 80000046, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4429521/2247)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
If someone can please let me know that whats going on seems phase 1 is down and ipsec is up?
thanks
mahesh
Solved! Go to Solution.
12-23-2012 02:14 AM
In the IOS implementation of Ikev1, Phase I and Phase II can live and die separately.
By Issueing clear crypto isakmp, you've cleared out the phase I. The Phase II will remain until expiration and wil recreate a new Phase I when Rekey will be required.
Show crypto session will show the session as UP-NO-IKE which is a normal state
On ASA, however, the implementation is slightly different since it use CCM [ Continuous Channel Mode]. In that case, if the phase I is going to be deleted. we delete as wel the phase II. [ And vice versa - If the last P2 need to be deleted, we naturally delete the P1 as well.
I hope this answer your question.
Merry Xmas.
Olivier
12-23-2012 02:14 AM
In the IOS implementation of Ikev1, Phase I and Phase II can live and die separately.
By Issueing clear crypto isakmp, you've cleared out the phase I. The Phase II will remain until expiration and wil recreate a new Phase I when Rekey will be required.
Show crypto session will show the session as UP-NO-IKE which is a normal state
On ASA, however, the implementation is slightly different since it use CCM [ Continuous Channel Mode]. In that case, if the phase I is going to be deleted. we delete as wel the phase II. [ And vice versa - If the last P2 need to be deleted, we naturally delete the P1 as well.
I hope this answer your question.
Merry Xmas.
Olivier
12-23-2012 08:12 AM
Hi Olivier,
Many thanks i understand it right now.
Regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide