Wednesday, March 27, 2013

Cisco ASA: MM_REKEY_DONE_H2 and MM_ACTIVE_REKEY VPN Messages

This was a pain because I am not sure what the real problem was.  I have this VPN and no one is complaining about anything, but I get the following below:
ASA# sh cry isa sa

   Active SA: 9
    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 10

1   IKE Peer: 4.40.40.3
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_REKEY_DONE_H2

2   IKE Peer: 4.40.40.3
    Type    : L2L             Role    : initiator
    Rekey   : yes             State   : MM_ACTIVE_REKEY

So what is up with the MM_REKEY_DONE_H2 and MM_ACTIVE_REKEY messages?  Well, I cleared the VPN and watched it come back up to the following message:
ASA# clear crypto isakmp sa 4.40.40.3
ASA# sh cry isa sa
1   IKE Peer: 4..40.40.3
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
ASA#

I dont know, but it seems to have worked in this case. 

3 comments:

  1. I've had the same issue and found that the crypto ipsec SA lifetimes were different.

    ReplyDelete
    Replies
    1. That is good to know. Thank you for giving us some good real world experience.

      Delete
    2. Still I am getting the same message even after clearing crypto isakmp sa but no issue with Tunnel everything works fine.

      Delete

Your comment will be reviewed for approval. Thank you for submitting your comments.