07-21-2019 06:40 AM
Dear community,
Our CISCO1921 establishes an IPSec tunnel with a peer at some other network with a server that we have to be connected to 24/7. It has been working for years until they made an upgrade of their peer a few months ago. Since then we experience a regularly occurring problem. The tunnel breaks and cannot be re-established by the 1921 device.
The fix is to run "clear crypto sa peer <ip-addr>" manually.
This solved the problem immediately for some time. Sometime for a week. Sometimes for a day. Yesterday I had to do it 4 times in 8 hours.
I do not have almost any experience in CISCO outside of attempts to solve this problem, so any help is appreciated.
Question 1. What is its problem?
Question 2. What is the best way to make it run this command automatically?
Question 3. What is a proper way to solve this?
Thank you very much in advance!
Andrey
07-23-2019 06:52 AM
Question 1. What is its problem?
Cannot say for sure, but if it fixes after a restart of the tunnel then it could be a bug. It could also mean that the tunnel on your side is up, but the other side has gone done for some reason (without notifying you). A restart from your side may be required to re-establish the tunnel in such a scenario.
Question 2. What is the best way to make it run this command automatically?
Embedded Event Manager (EEM) is a good option to run commands a scheduled intervals
IF your hardware or software does not support it, then running a kron job from a management server serves the same purpose.
Question 3. What is a proper way to solve this?
Run debugs and collect outputs and see what causes the tunnel to fail. Again you may have to use EEM to trigger log collection when tunnel fails. Debugs can be sent to syslog server so that you don't miss a failure event.
09-18-2019 04:34 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide