Re: Ipsec with multipoint tunnel

CSCO10456946 · ‎07-07-2004

Hi,

I have a 3725 with 12.3.4 software and I make him a hub with tunnel multipoint interface on it with ipsec profile applied and few distant routers with ipsec - spoke.

All works OK until rebooting of 3725.

After reboot of 3725 isakamp negotiation don't finish, stopping in MM_NO_STATE every time when starts.

After a clear crypto sa on the spoke side evrithings works fine again.

fdessart · ‎07-07-2004

Hi,

Could you provide some debugging information ("deb cry isa", "deb cry ips") from the hub router and one spoke.

This should give us an idea why it is failing.

CSCO10456946 · ‎07-07-2004

Thank you for your answer. I will attach 2 file with deb cry isa and ips from both hub and spoke. (Sorry the hub file was attached twice!)

fdessart · ‎07-08-2004

Thank you.

I don't see much in the log as the hub is simultaneously negotiating with multiple spoke and I don't know the IP address of the spoke from which you sent me the log.

Furthermore, from the spoke side, it looks like it does not detect any failure (via DPD).

How it should work:

If the spoke needs to send some traffic to the hub but didn't hear from him for some time, it will first send a DPD (Dead peer detection) packet to verify if it is still there or not.

From the scenario you describe, the spoke should not receive any reply and after a few retries, delete all SA's and restart negociating when the hub is back.

CSCO10456946 · ‎07-08-2004

Hi,

Thanks a lot for your reply!

My problem was that the new negociations after hu reboot fails until a clear cry sa on the spoke.I think that I have a bug soft because after changing the IOS from 12.3.4T4(an early deployment) in 12.3.6b(a limited deployment) my problem was solve.

fdessart · ‎07-09-2004

Thanks for your update.

Happy your problem is solved.

Francois.