Dear all,
I have a hub and spoke VPN.
Recently the hub was replaced with ISR 3925 with IOS 15.4(3)M1
The spokes are old 851 routers running 12.4 IOS
Now I am facing strange issue.
From time to time it happens that the IPSec SAs (phase 2) to a certain (each time a different) spoke by unknown to me reason disappear from the HUB.
Whenever that happens, the HUB brings down the line protocol of the GRE tunnel (linestate mode reg down) (this behavior wasn't present in the older IOS..).
When that happens, there is no way to bring the tunnel and the phase 2 SAs back up, other than manually:
1) shut/no shut the tunnel
2) clear the isakmp (phase 1) session
I have tried clearing the ipsec sa's (2nd phase), I have tried doing that on the spoke side - nothing happens.
I sniffed the traffic from the hub, and it seems that when that happens (no 2nd phase sa and tunnel goes down), the hub isn't actually trying to create phase 2 ipsec SAs, unless you clear the phase 1 SA..
I think that because the tunnel is down, it wouldn't try to use that tunnel, so that's why it doesn't try to create new SA's - which leads to a paradox..
Is there any way to fix that issue - either make the HUB try to negotiate new phase 2 SAs when it lose them, or make it not bring down the tunnel when that happens?
Any advice would be much appreciated.
Thanks and best regards.
