cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
307
Views
0
Helpful
4
Replies
Beginner

Router to router IPSEC session

Hi Techs,

I  have below network with a HQ router which builds a crypto session with  private source IP (RFC1918). The firewall in the middle (WAN and HQ  router) NAT's the crupto source.

( HQ Router) --------------------------------------------( Firewall- NAT)-----WAN---------------- Remote sites over internet

c2800nm-advsecurityk9-mz.150-1.M8.bin

Each  time the remote site changes public IP or losses connection HQ router  is not able to flush the existing/old IKE/IPSEC sessions though it forms  a new one with the new public IP. When I clear crypto session on HQ the  IKE reforms and session resumes. Is there any thing with IOS on HQ (RRI  Bug) ?

Also I have crypto isakmp nat keepalive, DPD, invalid spi-recovery options enabled.

Thanks,

Santosh

4 REPLIES 4
Highlighted
VIP Mentor

Re: Router to router IPSEC session

Hello,

Have you tried changing the Iskamp/Ipsec SA lifetimes? - preferably on either end off the peer

crypto isakmp policy priority lifetime (sec)

crypto ipsec security-association lifetime (sec)

res

Paul

Please don't forget to rate this post if it has been helpful.



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Beginner

Router to router IPSEC session

Thanks Paul, I will definitely try this option. I was always thinking some RRI bug (routes not clearing). Any thoughts on that.

Best regards,

Santosh

Highlighted
VIP Mentor

Router to router IPSEC session

Hello,

Please don't forget to rate this post if it has been helpful.

res

Paul



kind regards
Paul

Please rate and mark posts accordingly if you have found any of the information provided useful.
It will hopefully assist others with similar issues in the future
Highlighted
Beginner

Re: Router to router IPSEC session

Are you using a dynamic crypto map on the HQ side? Seems odd that the remote router would get a new address without tearing the tunnel down or the tunnel timing out.

You might look at changing the timeout period, as previously mentioned or look into the use of keep alives.

HTH

Sent from Cisco Technical Support iPhone App