cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
811
Views
0
Helpful
3
Replies

IKE rekey failing

santoshdpawar
Level 1
Level 1

Hi Guys,

I am facing issue with the IPSEC where IKE rekey is failing as soon as the timer expires ( IKE rekey timer set to 8 hours). I have seen no IKE (IPSEC session up/no IKE) for a long time and then site router suddenly becomes unreachable and later comes back online.

If we clear session or SA manually the site router becomes reachable. The only thing I have observed is the HUB router with Cisco 2800 and IOS -

c2800nm-advipservicesk9-mz.124-3e.bin and site routers - cisco 890 with c890-universalk9-mz.150-1.M7.bin

Is there anything related to IOS's ?

Thanks & regards,

Santosh Pawar

3 Replies 3

Richard Burts
Hall of Fame
Hall of Fame

Santosh Pawar

124-3e is pretty early code on your 2800, especially compared to the 150-1 on the 890. It might be helpful to upgrade code on the 2800.

I experienced some issues with rekey and found that configuring crypto isakmp keepalive periodic was helpful. You might give that a try.

If neither of these solves the problem then the output of debug crypto isakmp might be helpful in finding the problem.

HTH

Rick

HTH

Rick

Hi Rick,

Thanks for the reply. I have DPD in place as well as crypto ipsec lifetime which is configured to 35000 ( I guess default IPSEC lifetime is 36000) to make sure it clears SA's to renegotiat ( as I said there will be no IKE but IPSEC remains up for some time before it renegotiates).

I strongly feel 2800 IOS but still need to know if it is really the issue.

Best regards,

Santosh

sorry, the default IPSEC lifetime value is 3600 not 36000

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: