I have some interesting output which I'm trying to wrap my head around while doing some troubleshooting to recover from lost network connectivity. I've included the snippet below of relevent output.
All the reading I've done thus far indicates that having an IPSec SA operational without an IKAKMP SA is perfectly normal. In fact, when IPSec goes to rekey it's tunnel, if there isn't already an ISAKMP SA, it will fire one up to exchange it's keys. Through experimentation I've found this to be at 200 seconds prior to expiry. The IPSec tunnels will show "Session status: UP-NO-IKE" and traffic will continue to flow normally.
My actual question pertains to DPD to detect SA failures in that I have enabled this on the spoke router (see below). When there IS an ISAKMP session it does indeed indicate DPD feature is enabled under 'Cap' in the output. However, even with 'periodic' turned on, I still continually see no ISAKMP sessions... If I 'debug crypto isakmp" I also see no traffic.
1. Does DPD need to be enabled on the hub router for this to function correctly? (ie. do both sides need to participate in DPD to generate a DPD response?) I can't find anything that definitively states both need to be enabled...
2. Also, based on previous post by Wzhang, he indicated Invalid SPI Detection would not work for mGRE tunnels relying on NHRP for resolution..(only works for virtual interfaces), so I assume this is not an option for your standard vanilla deployment of DMVPN.
Even with both sides running DPD, am I wrong to expect the IKE session to remain established? If I manually clear the ISAKMP sa, it never re-establishes itself. If I clear 'crypto sessions' this takes down both IKE and IPSec, and both are re-established.
How would my node (running DPD periodic) ever detect my remote peer is down, if ISAKMP is down, and doesn't even attempt to be re-established on its own? Again - even running a 'debug crypto isakmp' shows nothing with regards to DPD or any periodic ISAKMP traffic. :-/
2801#sh crypto isa sa det Codes: C - IKE configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal X - IKE Extended Authentication psk - Preshared key, rsig - RSA signature renc - RSA encryption
C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.
2801#sh crypto ipsec sa | i lifetime sa timing: remaining key lifetime (k/sec): (4473850/2996) sa timing: remaining key lifetime (k/sec): (4473891/2996) sa timing: remaining key lifetime (k/sec): (4474243/3028) sa timing: remaining key lifetime (k/sec): (4477837/3028) sa timing: remaining key lifetime (k/sec): (4473850/2996) sa timing: remaining key lifetime (k/sec): (4473891/2996) sa timing: remaining key lifetime (k/sec): (4474243/3028) sa timing: remaining key lifetime (k/sec): (4477837/3028) 2801#sh run | i crypto crypto keyring ring1 vrf outside crypto logging session crypto isakmp policy 1 crypto isakmp keepalive 10 periodic crypto isakmp profile profile1 crypto ipsec transform-set proposal1 esp-aes esp-sha-hmac crypto ipsec profile vpn1
1. Log into CLI of DNAC:
ssh maglev@< DNAC appliance IP> -p 2222
2. Run this curl command to get token to get member id:
curl -X POST -u admin:<admin user password> -H -V https://<CLUSTER-IP>/api/system/v1/identitymgmt/token
Enterprise Switching Business Unit is glad to announce Beta release 16.12.2 for all Catalyst 9200/9300/9400/9500/9600 and Catalyst 3650/3850 Platforms. This release is made available to allow users to test, evaluate and share fee...
Purpose of the document
This document describes the general recommendations or best practices when designing and deploying the Cisco SD-Access technology. The document assumes that the reader has a general overview of Cisco's SD-Access for Distributed C...
Do you currently have hands-on networking experience? If you do, we'd love to hear from you!
Your feedback will be reviewed and analyzed by our team to directly influence a networking management and monitoring product.
Take the 20-min or les...