Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5377
Views
0
Helpful
2
Replies

Manually fixing a tunnel with "clear crypto sa peer <ip-address>"

kowaraj
Level 1
Level 1

‎07-21-2019 06:40 AM

Dear community, 

 

Our CISCO1921 establishes an IPSec tunnel with a peer at some other network with a server that we have to be connected to 24/7. It has been working for years until they made an upgrade of their peer a few months ago. Since then we experience a regularly occurring problem. The tunnel breaks and cannot be re-established by the 1921 device. 

 

The fix is to run "clear crypto sa peer <ip-addr>" manually.

This solved the problem immediately for some time. Sometime for a week. Sometimes for a day. Yesterday I had to do it 4 times in 8 hours. 

 

I do not have almost any experience in CISCO outside of attempts to solve this problem, so any help is appreciated. 

 

Question 1. What is its problem? 

Question 2. What is the best way to make it run this command automatically? 

Question 3. What is a proper way to solve this? 

 

Thank you very much in advance!

 

Andrey

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎07-23-2019 06:52 AM

Question 1. What is its problem? 

 

Cannot say for sure, but if it fixes after a restart of the tunnel then it could be a bug. It could also mean that the tunnel on your side is up, but the other side has gone done for some reason (without notifying you). A restart from your side may be required to re-establish the tunnel in such a scenario.

 

Question 2. What is the best way to make it run this command automatically? 

 

Embedded Event Manager (EEM) is a good option to run commands a scheduled intervals

 

https://community.cisco.com/t5/networking-documents/cisco-eem-basic-overview-and-sample-configurations/ta-p/3148479

 

IF your hardware or software does not support it, then running a kron job from a management server serves the same purpose. 

 

Question 3. What is a proper way to solve this? 

 

Run debugs and collect outputs and see what causes the tunnel to fail. Again you may have to use EEM to trigger log collection when tunnel fails. Debugs can be sent to syslog server so that you don't miss a failure event. 

0 Helpful

cosimo.boccuti1
Level 1
Level 1

‎09-18-2019 04:34 AM

Hi, Have you found the solution? We have a Cisco 891 with only 1 VPN configured Vs a Cisco Asa. This VPN worked for years..... a few months ago for an update on the ASA the vpn started going down ..... sometimes every day, sometimes every week, sometimes every 3 4 hours. to be honest the vpn remains up, only some security associations go down and the only way to get them back up is to give the command "CLEAR CRYPTO SA". seems the same problem as you. BR Cosimo
0 Helpful
Customers Also Viewed These Support Documents