Re: DMVPN Crypto Call Admission IKE SA limit

Ricky S · ‎01-30-2013

Hello friends, we have been having a few issues with our DMVPN spoke routers not establishing connection to random sites on occasion. It seems once we issue the "clear ip nhrp" command on the spoke router, things go back to normal. Could this be related to the number of IKE SA's that crypto call admission allows? We have approx. 80 sites who all have to communicate with one another time to time. Would it be meaningful to set the max crypto call admission ike sa limit to 90?

Ricky S · ‎02-03-2013

Anyone?

Jeff Van Houten · ‎02-03-2013

During renegotiation you will have two per site. Depending on the timeframe that sites renegotiate, 90 could be limiting. Increase to 110 and see if that takes care of it.

Sent from Cisco Technical Support iPad App

Ricky S · ‎02-04-2013

Hi Jeff, thanks for your response. Can you tell me the the difference between the below two commands?

crypto call admission limit ike sa 12

crypto call admission limit ike in-negotiation-sa 14

Jeff Van Houten · ‎02-04-2013

The first command is an absolute limit on the number of established Ike sa's you can have active on the router at any point in time. The second command is a limit on the number that can be in negotiation at one time.

Sent from Cisco Technical Support iPad App

Ricky S · ‎02-05-2013

Thanks for the clarification Jeff. Much appreciated.

It's been quite a challenge trying to get my head wrapped around this cryptology stuff.

I got one more question if you don't mind clarifying:

We have a dual DMVPN infrastructure with 2 hub routers at our data center and approx. 80 sites that establish Tunnel0 to primary hub and Tunnel1 to secondary hub.

If I'm understanding this correctly, 2 DMVPN tunnels would require 2 separate IPSEC (Phase1 and Phase2) negotiations among every other site. How many IKE SA limit and in-negotiation-limit should I configure in order for these to work FOREVER