01-30-2013 01:30 PM - edited 03-04-2019 06:53 PM
I have below network with a HQ router which builds a crypto session with private source IP (RFC1918). The firewall in the middle (WAN and HQ router) NAT's the crupto source.
( HQ Router) --------------------------------------------( Firewall- NAT)-----WAN---------------- Remote sites over internet
c2800nm-advsecurityk9-mz.150-1.M8.bin
Each time the remote site changes public IP or losses connection HQ router is not able to flush the existing/old IKE/IPSEC sessions though it forms a new one with the new public IP. When I clear crypto session on HQ the IKE reforms and session resumes. Is there any thing with IOS on HQ (RRI Bug) ?
Also I have crypto isakmp nat keepalive, DPD, invalid spi-recovery options enabled.
Thanks,
Santosh
01-30-2013 04:09 PM
Hello,
Have you tried changing the Iskamp/Ipsec SA lifetimes? - preferably on either end off the peer
crypto isakmp policy priority lifetime (sec)
crypto ipsec security-association lifetime (sec)
res
Paul
Please don't forget to rate this post if it has been helpful.
01-31-2013 08:51 PM
Thanks Paul, I will definitely try this option. I was always thinking some RRI bug (routes not clearing). Any thoughts on that.
Best regards,
Santosh
02-01-2013 03:06 PM
Hello,
Please don't forget to rate this post if it has been helpful.
res
Paul
02-01-2013 07:53 PM
Are you using a dynamic crypto map on the HQ side? Seems odd that the remote router would get a new address without tearing the tunnel down or the tunnel timing out.
You might look at changing the timeout period, as previously mentioned or look into the use of keep alives.
HTH
Sent from Cisco Technical Support iPhone App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide