Re: VPN Tunnel is getting blocked

giaaaj · ‎02-07-2005

Hi

I am experiencing problem with the a VPN Tunnel between Cisco 2621 and Concentrator 3000, it is getting irregularly blocked. In our Cisco works syslog i see the following error " %CRYPTO-4-IKMP_NO_SA". I can get the tunnel back working by resetting the Tunnel with clear crypto sa peer A.B.C.D. This is not the only tunnel configured on the cisco 2621, i have many others that work good. As we were using the IOS 12.2.26 on the cisco 2621 there was no problem the problem was experienced after upgrading the cisco router to 123-10b. Could somebody please advise about a possible reason for the blocking of the tunnel.

THX

ALI

Shawn Lebbon · ‎02-07-2005

There always seems to be lots of bugs listed/fixed with all new versions of the IOSs that are under development. I think that 12.3-12a is the latest, maybe try that.

Also I just found out last week that the 12.3 'T' line has a "crypto isakmp invalid-SPI-recovery" command (12.3-2T or later). (The T line has all the 'new' features being added into 12.3 in it along with bugfixes, whereas the regular line is ONLY the bugfixes), thus 12.3-10b wouldn't have it, even though it's alot newer than 12.3-2T, this is a 'new feature' and only shown in the 'T' line of updates. The latest T-line i believe is 12.3-11T3.

I haven't had a chance to try the command out, but since we're having similar trouble, i'm going to take a look at it. Full info can be found here:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a7a76.html

Basically it allows the tunnels to re-establish automatically when one side goes away, without manual intervention. This doesn't solve the problem, but at least provides a 'fix'.

giaaaj · ‎02-14-2005

Hi,

Thanks for the suggestion. I have used the "set security-association idle-time " command on the crypto map and it is working well.

THX

ALI