Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2441
Views
0
Helpful
3
Replies

SDWAN / Zscaler / IPSec

Go to solution
maxnpj
Level 1
Level 1

‎09-11-2019 07:25 AM - edited ‎09-11-2019 07:26 AM

Current config: vEdge 100M / Broadband / (2) Zscaler IPSec tunnels

We have (2) two IPSec tunnels to Zscaler (IPSec instead of GRE because we are using DHCP instead of static on the broadband link) for the most part both tunnels stay up but on occasion for no reason that I can tell they both go down and nothing other than rebooting the vEdge will bring them back up. Logs from Zscaler aren't too helpful as they mainly show that the IPSec tunnel is down. Any advice/suggestions/clues where to look? 

 

shut/no shut the physical interface (ge0/4) - no joy

shut/no shut both of the IPSec tunnels - no joy

request ipsec ike-rekey - no joy

request ipsec ipsec-rekey - no joy

 

"show ipec ike sessions state " shows the state of both tunnels as "TERMINATED"

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
stefan.radovanovici
Level 1
Level 1

‎09-20-2019 03:02 AM

It depends. How do you source your ipsec interfaces, from the WAN interfaces or from loopbacks in VPN 0 ? There are bugs related to this which might affect you. For example there is a bug where if the interface you use to source the ipsec tunnel changes its IP (due to DHCP, perhaps) then the ipsec process doesn't realize and will still attempt to keep the connection up with the old IP as source, which will fail. 

 

What's your ipsec interface configuration ? What software version are you running ?

View solution in original post

0 Helpful
3 Replies 3

Go to solution
stefan.radovanovici
Level 1
Level 1

‎09-20-2019 03:02 AM

It depends. How do you source your ipsec interfaces, from the WAN interfaces or from loopbacks in VPN 0 ? There are bugs related to this which might affect you. For example there is a bug where if the interface you use to source the ipsec tunnel changes its IP (due to DHCP, perhaps) then the ipsec process doesn't realize and will still attempt to keep the connection up with the old IP as source, which will fail. 

 

What's your ipsec interface configuration ? What software version are you running ?

0 Helpful

Go to solution
maxnpj
Level 1
Level 1
In response to stefan.radovanovici

‎10-23-2019 12:16 PM

We are sourcing from Ge0/4 which is configured for DHCP and connected to broadband. As far as versions go, we are in the process of upgrading from 18.3.5 to 18.4.302.

 

Do you happen to have a bug ID? or maybe a link to this bug?

 

And thank you for the response.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card