Re: VPN session is up-no-ike

zhiqiang.yan · ‎03-27-2010

Hello,

A VPN session in my VPN router is showing "UP-NO-IKE". I have to clear VPN session or the remote end VPN reset its IPsec.

What could be the possible that makes this session status "UP-NO-IKE"?

Thanks,

Jennifer Halim · ‎03-27-2010

Do you mean with the "UP-NO-IKE" status, you are not able to pass any traffic until you clear the SA and/or reset the remote peer?

What does the status of "show crypto isa sa" and "show crypto ipsec sa" show when you see "UP-NO-IKE"?

zhiqiang.yan · ‎03-28-2010

Yes, no data can pass until reset.

Nothing shows in "show crypto isakmp sa". I did not check "show crypto ipsec sa",but since I can see the IPSEC Flow in "show crypto session", I think it should be able to see the spi and just no enc/dec data.

There is a ICMP montoring from our end to remote end, when phase 1 expire, it should be reset by this icmp traff

Jennifer Halim · ‎03-28-2010

If you can't pass traffic, seems like there are SAs mismatched between this site and others, ie: this site might have had the SAs cleared, while remote sites are still sending data on the old SAs. Not until you clear or reset the SA on remote sites, it started to negotiate for the new SAs.

jazzlim2004 · ‎12-08-2010

Hi halijenn,

You are right on this.( i also encountered such problem) Is there any command to auto detect and clear old SA without manual reset?

Thank you

RushikeshMisal50025 · ‎10-09-2020

Hi
Up-No-IKE – This occurs when one end of the VPN tunnel terminates the IPSec VPN and the remote end attempts to keep using the original SPI, this can be avoided by issuing crypto isakmp invalid-spi-recovery.

Note: first check both side encryption domain IP and both side should be match. If this ok then only apply above solution.

Regards,

Rushikesh Misal