IKE rekey failing

santoshdpawar · ‎03-18-2013

Hi Guys,

I am facing issue with the IPSEC where IKE rekey is failing as soon as the timer expires ( IKE rekey timer set to 8 hours). I have seen no IKE (IPSEC session up/no IKE) for a long time and then site router suddenly becomes unreachable and later comes back online.

If we clear session or SA manually the site router becomes reachable. The only thing I have observed is the HUB router with Cisco 2800 and IOS -

c2800nm-advipservicesk9-mz.124-3e.bin and site routers - cisco 890 with c890-universalk9-mz.150-1.M7.bin

Is there anything related to IOS's ?

Thanks & regards,

Santosh Pawar

Richard Burts · ‎03-18-2013

Santosh Pawar

124-3e is pretty early code on your 2800, especially compared to the 150-1 on the 890. It might be helpful to upgrade code on the 2800.

I experienced some issues with rekey and found that configuring crypto isakmp keepalive periodic was helpful. You might give that a try.

If neither of these solves the problem then the output of debug crypto isakmp might be helpful in finding the problem.

HTH

Rick

HTH

Rick

santoshdpawar · ‎03-18-2013

Hi Rick,

Thanks for the reply. I have DPD in place as well as crypto ipsec lifetime which is configured to 35000 ( I guess default IPSEC lifetime is 36000) to make sure it clears SA's to renegotiat ( as I said there will be no IKE but IPSEC remains up for some time before it renegotiates).

I strongly feel 2800 IOS but still need to know if it is really the issue.

Best regards,

Santosh

santoshdpawar · ‎03-18-2013

sorry, the default IPSEC lifetime value is 3600 not 36000