Wednesday, March 27, 2013

Cisco ASA: MM_REKEY_DONE_H2 and MM_ACTIVE_REKEY VPN Messages

This was a pain because I am not sure what the real problem was.  I have this VPN and no one is complaining about anything, but I get the following below:
ASA# sh cry isa sa

   Active SA: 9
    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 10

1   IKE Peer: 4.40.40.3
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_REKEY_DONE_H2

2   IKE Peer: 4.40.40.3
    Type    : L2L             Role    : initiator
    Rekey   : yes             State   : MM_ACTIVE_REKEY

So what is up with the MM_REKEY_DONE_H2 and MM_ACTIVE_REKEY messages?  Well, I cleared the VPN and watched it come back up to the following message:
ASA# clear crypto isakmp sa 4.40.40.3
ASA# sh cry isa sa
1   IKE Peer: 4..40.40.3
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
ASA#

I dont know, but it seems to have worked in this case. 
Posted by

4 comments:

  1. AnonymousApril 11, 2013 at 7:59 AM

    I've had the same issue and found that the crypto ipsec SA lifetimes were different.

    ReplyDelete
    Replies
    1. ShaneApril 17, 2013 at 5:26 PM

      That is good to know. Thank you for giving us some good real world experience.

      Delete
    2. UnkownOctober 4, 2013 at 3:39 AM

      Still I am getting the same message even after clearing crypto isakmp sa but no issue with Tunnel everything works fine.

      Delete
  2. UnknownSeptember 12, 2018 at 6:46 PM

    issue "clear cry isa sa"
    it well re-initiate all your VPNs.
    better option would be to clear individual Crypto VPN by using "clear cry isa sa 1.2.3.4" to a specific peer but not all versions of Cisco ASA/FW supports per individual peer.

    FW01# sh crypto isakmp sa

    IKEv1 SAs:

    Active SA: 4
    Rekey SA: 1 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 5

    1 IKE Peer: 12.12.21.12
    Type : L2L Role : responder
    Rekey : no State : MM_REKEY_DONE_H2
    2 IKE Peer: 1.1.1.1
    Type : L2L Role : responder
    Rekey : no State : MM_ACTIVE
    3 IKE Peer: 2.2.2.2
    Type : L2L Role : responder
    Rekey : no State : MM_ACTIVE
    4 IKE Peer: 3.3.3.3
    Type : L2L Role : responder
    Rekey : yes State : MM_ACTIVE_REKEY
    5 IKE Peer: 4.4.4.4
    Type : user Role : initiator
    Rekey : no State : MM_WAIT_MSG2

    There are no IKEv2 SAs
    FW01# clear cry isa sa 1.1.1.1
    ^
    ERROR: % Invalid input detected at '^' marker.
    FW01# clear cry isa sa ?


    WMSCB002-FW01# clear cry isa ?

    sa Clear IKEv1 and IKEv2 sas
    stats Clear IKEv1 and IKEv2 stats


    WMSCB002-FW01# clear cry isa sa ?


    FW01# clear cry isa sa

    FW01#
    FW01# sh crypto isakmp sa

    IKEv1 SAs:

    Active SA: 4
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
    Total IKE SA: 4

    1 IKE Peer: 1.1.1.1
    Type : L2L Role : responder
    Rekey : no State : MM_ACTIVE
    2 IKE Peer: 2.2.2.2
    Type : L2L Role : responder
    Rekey : no State : MM_ACTIVE
    3 IKE Peer: 3.3.3.3
    Type : L2L Role : responder
    Rekey : no State : MM_ACTIVE
    4 IKE Peer: 4.4.4.4
    Type : user Role : initiator
    Rekey : no State : MM_WAIT_MSG2

    There are no IKEv2 SAs
    WMSCB002-FW01#


    ReplyDelete

Your comment will be reviewed for approval. Thank you for submitting your comments.

Subscribe to: Post Comments (Atom)