As fantastic as Cisco's IOS is, it's not completely bug-free. And unfortunately, these bugs often occur in the most complicated configurations like IPSec implementations. One particularly annoying issue that plagues several versions happens when IOS attempts to set up an encrypted tunnel, but the tunnel fails. At some point, the information in the router's memory doesn't get cleared when it should and this prevents the success of future attempts. This can drive technicians crazy, because the configuration was working in the past, and suddenly seems not to be working.
If you ever experience such a scenario, you can often resolve the problem by clearing the information in the router's memory. Rebooting the routers in question should solve the problem, but there are several less-drastic measures you should pursue first.
Start by removing the crypto map statements from the interface configs. Of course, this isn't always an option, since you may have active tunnels on the same interface and removing the crypto maps would disrupt that service. In that case, you can also attempt the commands:
Clear crypto sa
Clear crypto isa
No crypto ipsec sa
Once you have taken the unwanted information from the router's memory, the tunnel should come up.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.
Requires Free Membership to View
SearchEnterpriseWAN.com members gain immediate and unlimited access to breaking industry news, best practices for designing and managing Wide Area Networks, WAN Security, and more -- all at no cost. Join me on SearchEnterpriseWAN.com today!
Kate Gerwig, Editorial Director
This was first published in February 2003