03-18-2013 04:19 AM - edited 03-04-2019 07:19 PM
Hi Guys,
I am facing issue with the IPSEC where IKE rekey is failing as soon as the timer expires ( IKE rekey timer set to 8 hours). I have seen no IKE (IPSEC session up/no IKE) for a long time and then site router suddenly becomes unreachable and later comes back online.
If we clear session or SA manually the site router becomes reachable. The only thing I have observed is the HUB router with Cisco 2800 and IOS -
c2800nm-advipservicesk9-mz.124-3e.bin and site routers - cisco 890 with c890-universalk9-mz.150-1.M7.bin
Is there anything related to IOS's ?
Thanks & regards,
Santosh Pawar
03-18-2013 04:56 AM
Santosh Pawar
124-3e is pretty early code on your 2800, especially compared to the 150-1 on the 890. It might be helpful to upgrade code on the 2800.
I experienced some issues with rekey and found that configuring crypto isakmp keepalive
If neither of these solves the problem then the output of debug crypto isakmp might be helpful in finding the problem.
HTH
Rick
03-18-2013 06:26 AM
Hi Rick,
Thanks for the reply. I have DPD in place as well as crypto ipsec lifetime which is configured to 35000 ( I guess default IPSEC lifetime is 36000) to make sure it clears SA's to renegotiat ( as I said there will be no IKE but IPSEC remains up for some time before it renegotiates).
I strongly feel 2800 IOS but still need to know if it is really the issue.
Best regards,
Santosh
03-18-2013 09:05 AM
sorry, the default IPSEC lifetime value is 3600 not 36000
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: