Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2105
Views
10
Helpful
19
Replies

Cisco ISR 4321 Router

Go to solution
salomidhogela
Spotlight
Spotlight

‎07-12-2022 11:22 PM

Hi

I am currently experiencing issues on the ISR 4321 Version 17.3.5 whereby the tunnel hangs and I need to reset it for packets to start transmitting.I have experiencing this issue on two devices already.

Regards,

Salom

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Georg Pauwen

‎07-16-2022 11:28 AM - last edited on ‎07-28-2022 12:27 AM by Community Manager

Am I correct in understanding that there are multiple ipsec tunnels and that only one is experiencing this problem? If so would you post the output of

show crypto ipsec sa

for the involved tunnel when things are working, and then when the tunnel is experiencing the problem?

I wonder if the output of

debug crypto ipsec

for the involved peer might shed some light on this?

HTH

Rick

View solution in original post

0 Helpful
19 Replies 19

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎07-12-2022 11:48 PM

Other than the model of the router and the version of code we have no detail information to work with. Are there any log messages generated when this happens? If so please post the log messages. Otherwise I would ask that you post the configuration of the router.

HTH

Rick
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-12-2022 11:59 PM

i agree with Ric here, you need also give further information in additional :

 

1. what is the other side device, is this cisco or any other vendor ?

2. Do you have control on another end? have you tried reset the tunnel other side instead of Router 4K here ?

3. how is you config looks like both the end.

4. is this issue from day 1 ? or did you see it recently or is this a new setup?

5. what kind of throughput license you have, and what throughput router handling.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
salomidhogela
Spotlight
Spotlight
In response to balaji.bandi

‎07-13-2022 12:15 AM

1. Cisco device

2. Yes, tunnel can reset from either end resolve the issue

3. I do not understand your question here.

4. It happened on device after a restart, on another device it happen two consecutive days(no device restart). I have replaced the 2900 with ISR4000, I still have one 2900 in the environment but I do not experience the same issue.

5. The current throughput level is 50000 kbps

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to salomidhogela

‎07-13-2022 12:30 PM

 I have replaced 2900 with ISR4000  - is this issue after replacing the router, and with 2900 work fine ?

3. I do not understand your question here.  - Post the tunnel config both the sides

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
salomidhogela
Spotlight
Spotlight
In response to balaji.bandi

‎07-14-2022 11:24 AM - last edited on ‎07-28-2022 12:20 AM by Community Manager

Yes the issue is happening after router replacement.

 

#Configs

description connectivity_to_***
ip address x.x.x.x x.x.x.x
ip mtu 9000
ip nat outside
ip route-cache same-interface
ip tcp adjust-mss 1448
crypto map Max_map
crypto ipsec df-bit clear
crypto ipsec fragmentation after-encryption
!
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to salomidhogela

‎07-14-2022 11:32 AM - last edited on ‎07-28-2022 12:21 AM by Community Manager 

ip mtu 9000!!!


sure the tunnel is flapping.

0 Helpful

Go to solution
salomidhogela
Spotlight
Spotlight
In response to MHM Cisco World

‎07-14-2022 11:45 AM

The weird thing is that, I had the same configs on my old 2900 and after replacing it with ISR4321 I am now experiencing this issue. Could it be a bug maybe on the IOS?

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to salomidhogela

‎07-14-2022 11:52 AM

Try remove MTU and see (what interface is this ?) gig ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
salomidhogela
Spotlight
Spotlight
In response to balaji.bandi

‎07-14-2022 11:59 AM

It's a loopback interface, I will remove the MTU and test. On the outside interface I using the default MTU, and TCP MSS 1448.

0 Helpful

Go to solution
salomidhogela
Spotlight
Spotlight

‎07-13-2022 12:00 AM

There are actually no logs for that specific peer. It happens this way that I am unable to send files size larger than 4kb and after resetting the tunnel it start transmitting. This only affect one tunnel, the other ones are fine.

Salom

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to salomidhogela

‎07-13-2022 06:20 AM - last edited on ‎07-28-2022 12:23 AM by Community Manager

 ping check the large MTU you can pass through the tunnel 

<hint use ping with sweep>


after check the MTU after it the ping is failed, config the correct MTU in tunnel interface.
also correct TCP MSS in tunnel.

0 Helpful

Go to solution
salomidhogela
Spotlight
Spotlight
In response to MHM Cisco World

‎07-13-2022 12:16 PM

I can send 1400 mtu size without df set and I have configured TCP MSS of 1448.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to salomidhogela

‎07-13-2022 02:15 PM

First df must set for mtu check,

Second always tcp mss lower than mtu

 

0 Helpful

Go to solution
Elliot Dierksen
VIP
VIP

‎07-13-2022 02:05 PM

The TCP MSS is without the headers. If you can ping with 1400 byte ICMP packets, try setting TCP MSS to 1360.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card