Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
522
Views
0
Helpful
4
Replies

Router to router IPSEC session

santoshdpawar
Level 1
Level 1

‎01-30-2013 01:30 PM - edited ‎03-04-2019 06:53 PM

Hi Techs,

I  have below network with a HQ router which builds a crypto session with  private source IP (RFC1918). The firewall in the middle (WAN and HQ  router) NAT's the crupto source.

( HQ Router) --------------------------------------------( Firewall- NAT)-----WAN---------------- Remote sites over internet

c2800nm-advsecurityk9-mz.150-1.M8.bin

Each  time the remote site changes public IP or losses connection HQ router  is not able to flush the existing/old IKE/IPSEC sessions though it forms  a new one with the new public IP. When I clear crypto session on HQ the  IKE reforms and session resumes. Is there any thing with IOS on HQ (RRI  Bug) ?

Also I have crypto isakmp nat keepalive, DPD, invalid spi-recovery options enabled.

Thanks,

Santosh

Labels:
0 Helpful
4 Replies 4

paul driver
VIP
VIP

‎01-30-2013 04:09 PM

Hello,

Have you tried changing the Iskamp/Ipsec SA lifetimes? - preferably on either end off the peer

crypto isakmp policy priority lifetime (sec)

crypto ipsec security-association lifetime (sec)

res

Paul

Please don't forget to rate this post if it has been helpful.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

santoshdpawar
Level 1
Level 1
In response to paul driver

‎01-31-2013 08:51 PM

Thanks Paul, I will definitely try this option. I was always thinking some RRI bug (routes not clearing). Any thoughts on that.

Best regards,

Santosh

0 Helpful

paul driver
VIP
VIP
In response to santoshdpawar

‎02-01-2013 03:06 PM

Hello,

Please don't forget to rate this post if it has been helpful.

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Mitchell Dyer
Level 1
Level 1

‎02-01-2013 07:53 PM

Are you using a dynamic crypto map on the HQ side? Seems odd that the remote router would get a new address without tearing the tunnel down or the tunnel timing out.

You might look at changing the timeout period, as previously mentioned or look into the use of keep alives.

HTH

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card