Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13685
Views
5
Helpful
5
Replies

IPSEC clear crypto session - a way of automating this?

phil_carter
Level 1
Level 1

‎10-06-2011 02:30 AM - edited ‎03-04-2019 01:50 PM

Hi,

I have a GRE tunnel running over IPSEC across the Internet, providing connectivity between a remote site and our central router. Connectivity is intermittently hanging causing loss of connectivity. There is a bit of NAT going on in the middle via a checkpoint firewall (for our central router only), and at one stage the firewall logs reported the remote router was trying to use non-standard ports for IPSEC connecitivity (not 500 and/or 4500) - which were all being dropped. However, this is not currently being seen and the problem remains.

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

lifetime 180

crypto isakmp key xxxxxx address x.x.x.x

crypto isakmp invalid-spi-recovery

!

crypto ipsec security-association idle-time 300 

!

crypto ipsec transform-set xxxxxx_Transform esp-3des esp-md5-hmac

!

crypto ipsec profile VTI

set transform-set xxxxxx_Transform

!

interface Tunnel1

ip address 172.16.122.38 255.255.255.252

ip mtu 1400

load-interval 30

tunnel source Dialer1

tunnel destination x.x.x.x

tunnel mode ipsec ipv4

tunnel protection ipsec profile VTI

When connectivity is lost to the remote site, the central router still displays an ACTIVE in/outbound IPSEC tunnel (using 'show crypto ipsec sa'). However, clearing the crypto session at the central end forces the IPSEC to renogotiate and come back up (using the default ports 500 / 4500).

I added the "crypto ipsec security-association idle-time 300" line in the hope that after 5 mins of idle-ness this would happen automatically, but this doesn't work.

Is there a way of forcing a reset to IPSEC automatically given a loss of traffic/idle state??

Rgds

Phil

Labels:
0 Helpful
5 Replies 5

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-06-2011 02:55 AM

Disclaimer

The    Author of this posting offers the information contained within this    posting without consideration and with the reader's understanding that    there's no implied or expressed suitability or fitness for any  purpose.   Information provided is for informational purposes only and  should not   be construed as rendering professional advice of any kind.  Usage of  this  posting's information is solely at reader's own risk.

Liability Disclaimer

In    no event shall Author be liable for any damages whatsoever  (including,   without limitation, damages for loss of use, data or  profit) arising  out  of the use or inability to use the posting's  information even if  Author  has been advised of the possibility of such  damage.

Posting

Perhaps a re-occurring script could be run on the router that looks at the crypto stats, and depending on what it "sees", clear the SA.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Joseph W. Doherty

‎10-06-2011 08:46 AM

Phil

Creating a script to issue the clear crypto commands as Joseph suggests would be the easy part. The challenge would be in creating something that would detect when connectivity to the remote was lost. Perhaps there is something in IP SLA that could do this and kick off a script if connectivity goes down.

HTH

Rick

HTH

Rick
0 Helpful

wleeb1010
Level 1
Level 1

‎08-18-2022 09:49 PM

Setup sla and corresponding tracker that ping the remote <internal ip> of tunnel

  • ip sla 1
  •  icmp-echo 10.255.0.1
  •  threshold 1000
  •  timeout 4000
  •  frequency 5
  • ip sla schedule 1 life forever start-time now
  • track 1 ip sla 1 reachability

Setup EEM applet that resets the tunnel by issuing a "clear crypto session remote <public ip>" if the corresponding tracker returns a state of down

  • event manager applet track-1 authorization bypass
  • event track 1 state down
  • action 0001 cli command "enable"
  • action 0002 cli command "clear crypto session remote 4.3.2.1"
  • action 0003 syslog msg  "Tunnel0 has gone down and was reset"

tlovely
Level 1
Level 1
In response to wleeb1010

‎10-18-2023 05:24 AM

Curious how the clear crypto remote command works.  For me the interface comes up and goes right back down.  the clear crypto works.

0 Helpful

tlovely
Level 1
Level 1

‎10-18-2023 05:03 AM

a variant of the SLA would be to monitor the syslog mine looks like this.  Keep in mind if the interface is not going down you will have to track another syslog message.

event manager applet Crypto_Recovery

event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on interface Tunnel0, changed state to down"

action 10 cli command "clear crypto session"

action 20 syslog priority informational msg "tunnel0 was reset by EMA"

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card