leftover entries in crypto ipsec sa

Discussion in 'Cisco' started by Rob, Jun 10, 2013.

  1. Rob

    Rob Guest

    I have a Cisco 1811 running IOS 15.1(4)M4

    It has both static (crypto map vpn) entries and temporary
    entries created by L2TP/IPsec users calling in from Windows XP.

    When I use "show crypto ipsec sa" I see the static entries,
    the dynamic entries active at that time, but also after the
    router has been up for some time I see more and more entries
    that are no longer in use but still are in that output.

    The "show crypto ipsec sa" output already is formatted in an
    unclear way (should have been an overview table and an additional
    command to request detail of a specific entry), but this accumulating
    garbage does not make it easier to find an entry I am looking for.

    The virtual interfaces of the leftover entries are long gone, but
    apparently this does not always clear the ipsec association entries.
    (it does not accumulate all entries, maybe only those that terminate
    with some specific failure condition)

    Is there a way to cleanup the table without a reload, or to fix
    this problem altogether?
    Rob, Jun 10, 2013
    1. Advertisements

  2. Rob

    Rob Guest

    Is this newsgroup now only for "we buy cisco" spam?
    Is there a new place where technical topics are discussed?
    Rob, Jun 20, 2013
    1. Advertisements

  3. It's certainly looking that way. There isn't much traffic
    here these days and the spammers have multiplied lately.
    You might try out Cisco's TechZone:

    Martin Gallagher, Jun 21, 2013
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.