I am facing issue with the IPSEC where IKE rekey is failing as soon as the timer expires ( IKE rekey timer set to 8 hours). I have seen no IKE (IPSEC session up/no IKE) for a long time and then site router suddenly becomes unreachable and later comes back online.
If we clear session or SA manually the site router becomes reachable. The only thing I have observed is the HUB router with Cisco 2800 and IOS -
c2800nm-advipservicesk9-mz.124-3e.bin and site routers - cisco 890 with c890-universalk9-mz.150-1.M7.bin
Is there anything related to IOS's ?
Thanks & regards,
124-3e is pretty early code on your 2800, especially compared to the 150-1 on the 890. It might be helpful to upgrade code on the 2800.
I experienced some issues with rekey and found that configuring crypto isakmp keepalive
If neither of these solves the problem then the output of debug crypto isakmp might be helpful in finding the problem.
Thanks for the reply. I have DPD in place as well as crypto ipsec lifetime which is configured to 35000 ( I guess default IPSEC lifetime is 36000) to make sure it clears SA's to renegotiat ( as I said there will be no IKE but IPSEC remains up for some time before it renegotiates).
I strongly feel 2800 IOS but still need to know if it is really the issue.