I have a GRE tunnel running over IPSEC across the Internet, providing connectivity between a remote site and our central router. Connectivity is intermittently hanging causing loss of connectivity. There is a bit of NAT going on in the middle via a checkpoint firewall (for our central router only), and at one stage the firewall logs reported the remote router was trying to use non-standard ports for IPSEC connecitivity (not 500 and/or 4500) - which were all being dropped. However, this is not currently being seen and the problem remains.
crypto isakmp policy 10
crypto isakmp key xxxxxx address x.x.x.x
crypto isakmp invalid-spi-recovery
crypto ipsec security-association idle-time 300
crypto ipsec transform-set xxxxxx_Transform esp-3des esp-md5-hmac
crypto ipsec profile VTI
set transform-set xxxxxx_Transform
ip address 172.16.122.38 255.255.255.252
ip mtu 1400
tunnel source Dialer1
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
When connectivity is lost to the remote site, the central router still displays an ACTIVE in/outbound IPSEC tunnel (using 'show crypto ipsec sa'). However, clearing the crypto session at the central end forces the IPSEC to renogotiate and come back up (using the default ports 500 / 4500).
I added the "crypto ipsec security-association idle-time 300" line in the hope that after 5 mins of idle-ness this would happen automatically, but this doesn't work.
Is there a way of forcing a reset to IPSEC automatically given a loss of traffic/idle state??
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Perhaps a re-occurring script could be run on the router that looks at the crypto stats, and depending on what it "sees", clear the SA.
Creating a script to issue the clear crypto commands as Joseph suggests would be the easy part. The challenge would be in creating something that would detect when connectivity to the remote was lost. Perhaps there is something in IP SLA that could do this and kick off a script if connectivity goes down.