Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
643
Views
0
Helpful
0
Replies

IKEv2 SAs are not expiring and cannot be cleared manually

john-serink
Level 1
Level 1

‎01-08-2021 05:53 AM

Hi All:

 

Here is my platform:

cisco ISR4431/K9 (1RU) processor with 1694893K/6147K bytes of memory.
Processor board ID FGL2404LMN6
4 Gigabit Ethernet interfaces
32768K bytes of non-volatile configuration memory.
4194304K bytes of physical memory.
6598655K bytes of flash memory at bootflash:.
0K bytes of WebUI ODM Files at webui:.

Cisco IOS XE Software, Version 16.12.04
Cisco IOS Software [Gibraltar], ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 16.12.4, RELEASE SOFTWARE (fc5)

 

 

Here is my issue:

CCrouter#sh crypto sess br
Status: A- Active, U - Up, D - Down, I - Idle, S - Standby, N - Negotiating
K - No IKE
ivrf = (none)
Peer I/F Username Group/Phase1_id Uptime Status<snip>

132.154.30.79 Gi0/0/0 CORS23 2w2d DN
47.8.246.42 Gi0/0/0 CORS33 1d07h DN

 

As you can see I have a SA that is 2 weeks and 2 days old and one that is 1 day and 7 hours old.

Both of the remote hosts are connected with new SAs. I have tried "clear crypto ikev2 sa remote" and "clear crypto session remote" on both and neither of those commands have any effect.

 

The remote hosts are Digi WR21 routers.

 

Are there any other commands I might be able to use to force those SAs to close?

 

Cheers,

john

 

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents