Can anyone assist with a problem I have when using an IPSEC Tunnel over ADSL service?
We have several ADSL remote sites connecting to a pair of Head End routers.
The connection uses a Cisco 887 router at the remote site and Cisco 1002 pair at the head end.
The problem is precipitated by the initial remote site VDSL line dropping which we believe is caused by auto-re-trains from the DLM - This should settle down after a few days as it is a new broadband connection.
The problem is that when the VDSL to the remote site goes down, (the outage seems to be approximatley 1 minute), although the unencrypted link to the remote site returns to service after about 1 minute the ISAKMP SAs seem to get out of sync between headend router and remote site and do not re-form automatically. Unless I carry out a clear crypto sa peer. The crypto isakmp keepalive is set to 10 seconds, and it has been suggested that this may not be long enough as the Dead Peer Detection is shutting the tunnel link down after 10 seconds plus 4x2 second retries.
However once the DPD has shut the tunnel down does that mean that the only way to bring it back is manually reset the crypto sa peer? I find that hard to believe.
You might be missing "crypto isakmp invalid-spi-recovery" command on any of the sides (I guess on Hub).
did you find a fix for this issue? I have a ticket with exactly same issue - also related to VDSL. Client says there is no issue if underlying connectivity for C892 is via ADSL.
Yes I logged a TAC call. The problem was caused by an ios bug which caused the MTU size on the IPSEC tunnel to reset on the running config from what I had configured it to if there was any interuption on the ADSL circuit. This meant that the MTU size no longer matched the other end of the IPSEC tunnel and this meant that the OSPF would not establish.
Cisco advised that this is a known bug. Check what version of ios you are running, there is a fix shown below.
Hope this helps you.
Known bug: CSCue47940.
This bug causes the statically configured MTU on an IPsec VTI to change somewhat sporadically, although most commonly when the physical link flaps or when the router is reloaded.
The fix for this bug is available in IOS 15.2(4)M5 on 887 Routers, and 15.2(4)S4/3.7.4S on ASR1002X.
Thank you. Let's see. In our case, C892 does not have internal ADSL/VDSL modem. It just terminates PPPoE circuit . VDSL i terminated on an external modem.
As someone suggested on this forum in another thread it could also be about desynchronized ISAKMP SAs which might be fixed with "crypto isakmp invalid-spi-recovery".