cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

118
Views
0
Helpful
1
Replies
Highlighted
Beginner

Manually fixing a tunnel with "clear crypto sa peer <ip-address>"

Dear community, 

 

Our CISCO1921 establishes an IPSec tunnel with a peer at some other network with a server that we have to be connected to 24/7. It has been working for years until they made an upgrade of their peer a few months ago. Since then we experience a regularly occurring problem. The tunnel breaks and cannot be re-established by the 1921 device. 

 

The fix is to run "clear crypto sa peer <ip-addr>" manually.

This solved the problem immediately for some time. Sometime for a week. Sometimes for a day. Yesterday I had to do it 4 times in 8 hours. 

 

I do not have almost any experience in CISCO outside of attempts to solve this problem, so any help is appreciated. 

 

Question 1. What is its problem? 

Question 2. What is the best way to make it run this command automatically? 

Question 3. What is a proper way to solve this? 

 

Thank you very much in advance!

 

Andrey

1 REPLY 1
VIP Advocate

Re: Manually fixing a tunnel with "clear crypto sa peer <ip-address>"

Question 1. What is its problem? 

 

Cannot say for sure, but if it fixes after a restart of the tunnel then it could be a bug. It could also mean that the tunnel on your side is up, but the other side has gone done for some reason (without notifying you). A restart from your side may be required to re-establish the tunnel in such a scenario.

 

Question 2. What is the best way to make it run this command automatically? 

 

Embedded Event Manager (EEM) is a good option to run commands a scheduled intervals

 

https://community.cisco.com/t5/networking-documents/cisco-eem-basic-overview-and-sample-configurations/ta-p/3148479

 

IF your hardware or software does not support it, then running a kron job from a management server serves the same purpose. 

 

Question 3. What is a proper way to solve this? 

 

Run debugs and collect outputs and see what causes the tunnel to fail. Again you may have to use EEM to trigger log collection when tunnel fails. Debugs can be sent to syslog server so that you don't miss a failure event.