cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
27059
Views
0
Helpful
5
Replies

VPN session is up-no-ike

zhiqiang.yan
Level 1
Level 1

Hello,

A VPN session in my VPN router is showing "UP-NO-IKE". I have to clear VPN session or the remote end VPN reset its IPsec.

What could be the possible that makes this session status "UP-NO-IKE"?

Thanks,

5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

Do you mean with the "UP-NO-IKE" status, you are not able to pass any traffic until you clear the SA and/or reset the remote peer?

What does the status of "show crypto isa sa" and "show crypto ipsec sa" show when you see "UP-NO-IKE"?

Yes, no data can pass until reset.

Nothing shows in "show crypto isakmp sa". I did not check "show crypto ipsec sa",but since I can see the IPSEC Flow in "show crypto session", I think it should be able to see the spi and just no enc/dec data.

There is a ICMP montoring from our end to remote end, when phase 1 expire, it should be reset by this icmp traff


If you can't pass traffic, seems like there are SAs mismatched between this site and others, ie: this site might have had the SAs cleared, while remote sites are still sending data on the old SAs. Not until you clear or reset the SA on remote sites, it started to negotiate for the new SAs.

Hi halijenn,

You are right on this.( i also encountered such problem) Is there any command to auto detect and clear old SA without manual reset?

Thank you

Hi
Up-No-IKE – This occurs when one end of the VPN tunnel terminates the IPSec VPN and the remote end attempts to keep using the original SPI, this can be avoided by issuing crypto isakmp invalid-spi-recovery. 

Note: first check both side encryption domain IP and both side should be match. If this ok then only apply above solution. 

 

Regards,

Rushikesh Misal