Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2154
Views
0
Helpful
2
Replies

UP-NO-IKE after IKE lifetime exceeded ???

nvanhaute
Level 1
Level 1

‎06-26-2011 12:44 AM

Hi all,

I use ISR G2 3925e (IOS 15.1(4)M) in a VPN env, x509 cert + crl (7h)

ike lifetime 24h / ipsec sa lifetime 8h

when ike lifetime is done, I have all my isakmp session in UP-NO-IKE state

but it still works (trafic is ok inside tunnels)

but sometimes it is broken and I need to clear session or shut/no shut tunnel interfaces

fyi : DPD is enabled

maybe it is related to that too, I have sometimes these messages in logs :

%CRYPTO-4-IKMP_NO_SA: IKE message from xxx.xxx.xxx.xxx has no SA and is not an initialization offer

any idea ?

best regards

Nicolas

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-26-2011 04:03 AM

Nicolas,

Can I suggest to enable periodic DPDs and monitor the situation?

crypto isakmp keep 30 5 period

Periodic DPDs should make at least the IKE sessions to be on all the time.

Marcin

0 Helpful

nvanhaute
Level 1
Level 1
In response to Marcin Latosiewicz

‎06-26-2011 05:00 AM

hi Marcin,

Yeah right now I'm using DPD on-demand (crypto isakmp keep 50)

I will try with periodic setting

Thanks

Nicolas

0 Helpful
Customers Also Viewed These Support Documents