remove all of these sessions showing as deleted.

Tried both of those but the deleted one's stay and any current sessions are dropped. I am thinking it could be a bug in the OS but I can't find anything on the bug tracker. 

Cisco IOS XE Software, Version 03.13.04.S - Extended Support Release

bootflash:/isr4300-universalk9.03.13.04.S.154-3.S4-ext.SPA.bin

See all the conn-id showing 0 and the status as ACTIVE(deleted) next to them? I need to remove them but can't. I removed the IP addresses for obvious reasons.

INTROUTE01#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src    state                 conn-id      status
IP   IP  QM_IDLE              1017          ACTIVE
IP   IP  MM_NO_STATE    0                ACTIVE (deleted)
IP   IP  MM_NO_STATE    0                ACTIVE (deleted)
IP   IP  MM_NO_STATE    0                ACTIVE (deleted)
IP   IP  MM_NO_STATE    0                ACTIVE (deleted)
IP   IP QM_IDLE                1019          ACTIVE
IP   IP  MM_NO_STATE    1018          ACTIVE (deleted)
IP   IP  MM_NO_STATE     0               ACTIVE (deleted)
IP   IP  MM_NO_STATE     0               ACTIVE (deleted)
IP   IP  MM_NO_STATE     0               ACTIVE (deleted)
IP   IP  MM_NO_STATE     0               ACTIVE (deleted)

Here is the VPN Config.

I changed the 000.000.000.000 ip for obvious reasons.

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group scprod
key ********
dns 10.140.0.2
pool VPNDHCP
acl 113
crypto isakmp profile ike-scvpn
match identity group scprod
client authentication list vpnauth
isakmp authorization list vpnauthor
client configuration address respond
virtual-template 1


crypto ipsec transform-set scvpn esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set 11 esp-3des esp-sha-hmac
mode tunnel


crypto ipsec profile ipsec-scvpn
set transform-set scvpn
set isakmp-profile ike-scvpn


crypto dynamic-map sc-map 1
set transform-set scvpn

interface GigabitEthernet0/0/0
mtu 9000
ip address 000.000.000.000 255.255.255.252
ip nat outside
negotiation auto
no cdp enable
ip virtual-reassembly

interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0/0
ip mtu 1400
ip tcp adjust-mss 1300
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile ipsec-scvpn

ip nat inside source static tcp 192.168.10.10 22 interface GigabitEthernet0/0/0 2222
ip nat inside source route-map noNAT interface GigabitEthernet0/0/0 overload

Here is the VPN Config.

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group scprod
key ********
dns 10.140.0.2
pool VPNDHCP
acl 113
crypto isakmp profile ike-scvpn
match identity group scprod
client authentication list vpnauth
isakmp authorization list vpnauthor
client configuration address respond
virtual-template 1


crypto ipsec transform-set scvpn esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set 11 esp-3des esp-sha-hmac
mode tunnel


crypto ipsec profile ipsec-scvpn
set transform-set scvpn
set isakmp-profile ike-scvpn


crypto dynamic-map sc-map 1
set transform-set scvpn

interface GigabitEthernet0/0/0
mtu 9000
ip address 000.000.000.000 255.255.255.252
ip nat outside
negotiation auto
no cdp enable
ip virtual-reassembly

interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0/0
ip mtu 1400
ip tcp adjust-mss 1300
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile ipsec-scvpn

ip nat inside source static tcp 192.168.10.10 22 interface GigabitEthernet0/0/0 2222
ip nat inside source route-map noNAT interface GigabitEthernet0/0/0 overload

It’s a mixture of both, have some people who connect no problem, other people are not able to connect, and some people who connect don’t have access to everything. Just a wired anomaly. Thought maybe it was a duplicate IP somewhere but if that were the case we would see issues locally. Then we also want the (deleted) entries removed.