Showing results for 
Search instead for 
Did you mean: 

DMVPN & DPD vs. Invalid SPI Detection


I have some interesting output which I'm trying to wrap my head around while doing some troubleshooting to recover from lost network connectivity. I've included the snippet below of relevent output.

All the reading I've done thus far indicates that having an IPSec SA operational without an IKAKMP SA is perfectly normal. In fact, when IPSec goes to rekey it's tunnel, if there isn't already an ISAKMP SA, it will fire one up to exchange it's keys. Through experimentation I've found this to be at 200 seconds prior to expiry. The IPSec tunnels will show "Session status: UP-NO-IKE" and traffic will continue to flow normally.

My actual question pertains to DPD to detect SA failures in that I have enabled this on the spoke router (see below). When there IS an ISAKMP session it does indeed indicate DPD feature is enabled under 'Cap' in the output. However, even with 'periodic' turned on, I still continually see no ISAKMP sessions... If I 'debug crypto isakmp" I also see no traffic.

1. Does DPD need to be enabled on the hub router for this to function correctly? (ie. do both sides need to participate in DPD to generate a DPD response?) I can't find anything that definitively states both need to be enabled...

2. Also, based on previous post by Wzhang, he indicated Invalid SPI Detection would not work for mGRE tunnels relying on NHRP for resolution..(only works for virtual interfaces), so I assume this is not an option for your standard vanilla deployment of DMVPN.

Even with both sides running DPD, am I wrong to expect the IKE session to remain established? If I manually clear the ISAKMP sa, it never re-establishes itself. If I clear 'crypto sessions' this takes down both IKE and IPSec, and both are re-established.

How would my node (running DPD periodic) ever detect my remote peer is down, if ISAKMP is down, and doesn't even attempt to be re-established on its own? Again - even running a 'debug crypto isakmp' shows nothing with regards to DPD or any periodic ISAKMP traffic. :-/

2801#sh crypto isa sa det
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption

C-id  Local           Remote          I-VRF    Status Encr Hash Auth DH Lifetime Cap.

2801#sh crypto ipsec sa | i lifetime
        sa timing: remaining key lifetime (k/sec): (4473850/2996)
        sa timing: remaining key lifetime (k/sec): (4473891/2996)
        sa timing: remaining key lifetime (k/sec): (4474243/3028)
        sa timing: remaining key lifetime (k/sec): (4477837/3028)
        sa timing: remaining key lifetime (k/sec): (4473850/2996)
        sa timing: remaining key lifetime (k/sec): (4473891/2996)
        sa timing: remaining key lifetime (k/sec): (4474243/3028)
        sa timing: remaining key lifetime (k/sec): (4477837/3028)
2801#sh run | i crypto
crypto keyring ring1 vrf outside
crypto logging session
crypto isakmp policy 1
crypto isakmp keepalive 10 periodic
crypto isakmp profile profile1
crypto ipsec transform-set proposal1 esp-aes esp-sha-hmac
crypto ipsec profile vpn1

Everyone's tags (4)
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards