DisclaimerThe Author of this

Ekaterina Romanova · ‎12-04-2014

Hi

I have a problem with spoke router, which connected through the DMVPN tunnel to the hub (dmvpn phase 1).

Tunnel interface is Up, but encryption breaks from time to time (2-3 times per month). Ipsec connection establishment stops on phase 1 with state MM_NO_STATE.

Keys, profiles and isakmp policies are identical on both sides.

In debug output i see many attempts of retransmitting ISAKMP phase 1 and after that router deleting SA with reason "gen_ipsec_isakmp_delete but doi isakmp".

Internet link is working well and i can ping hub destination IP.

your thoughts?

thanks in advance

Joseph W. Doherty · ‎12-04-2014

What devices and what installed IOS versions?

Ekaterina Romanova · ‎12-04-2014

Hi Joseph,

cisco 2611XM (ADVIPSERVICESK9-M) - spoke - IOS Version 12.3(21)

cisco 7200 - hub - IOS Version 12.4(24)T4

Joseph W. Doherty · ‎12-04-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

I've found the later IOS versions seem a bit more stable when doing IPSec tunnel stuff. Your (24)T4 version, I've found, isn't too bad, but if you can, you might consider upgrading the 3(21) version.

Ekaterina Romanova · ‎12-04-2014

Joseph,

thanks you for advise. Definetly it could be good attempt to resolve this issue, but it is production router and IOS upgrade means - service degradation for some time, you know.

And nevertheless i think that this problem has another root cause...

Joseph W. Doherty · ‎12-04-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Yes, booting into new code will cause a service interruption, but only a few minutes. You're unable to schedule such?

Sure, it might have another cause, and for such, your best bet might be to work with TAC.

It's possible someone still might be able to suggest another cause, yet still, your spoke router, and its IOS, is a bit old.

BTW, since you running DMVPN, any other spokes? If so, same router models and/or IOS versions, or something newer? If there are other "newer" spokes, and if they are not having similar issues, it points toward this spoke router as the root of your problem.

Ekaterina Romanova · ‎12-04-2014

Even few minutes sometimes can be expensive.. And surely if i will not have another way to fix it - i will do ios upgrade.

Yes, i have DMVPN on other spokes, some of them with the same router models and IOS versions and somethins newer. Issue only with that router

Joseph W. Doherty · ‎12-04-2014

Disclaimer

The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.

Liability Disclaimer

In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.

Posting

Yes, any downtime can be expensive, but when you cannot spare 5 minutes in a scheduled (off-time) maintenance window, I'm surprised you don't have redundancy. There's also the chance of much more downtime if such a critical device fails.

paul driver · ‎12-04-2014

Hello

.Try creating a new isakmp policy with a higher priority so when the lower policy drops(higher preference ) the new profile will negotiate if that is then stable remove the older policy

Have you applied debugging on isakmp if so does that show anything.

re

paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Ekaterina Romanova · ‎12-05-2014

Hi Paul,

thanks for idea, i will try it.

Yes i have applied debugging on isakmp and as i wrote In debug output i see many attempts of retransmitting ISAKMP phase 1 and after that router deleting SA with reason "gen_ipsec_isakmp_delete but doi isakmp".

IPsec connection flapping