09-12-2018 06:32 PM
WE have multiple sites running 4G dynamic VPNs from 897 routers to ASA 5525x FW, occasionally some sites get in a state where the tunnel fails and when we do a " sh Crypto ikev2 sa" you see multiple IN-NEG messages as below.
The only way we can fix this is to shut the Cellular interface down for a few minutes, when brought back up the tunnel reestablishes ok
Is there a fix for this problem?
Tunnel-id Local Remote fvrf/ivrf Status
4 10.98.75.43/4500 xx.xx.xx.xx/4500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:20, Auth sign: PSK, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec
Tunnel-id Local Remote fvrf/ivrf Status
3 10.98.75.43/4500 xx.xx.xx.xx/4500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:20, Auth sign: PSK, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec
Tunnel-id Local Remote fvrf/ivrf Status
1 10.98.75.43/4500 xx.xx.xx.xx/4500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:20, Auth sign: PSK, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec
Tunnel-id Local Remote fvrf/ivrf Status
6 10.98.75.43/4500 xx.xx.xx.xx/4500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:20, Auth sign: PSK, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec
09-13-2018 01:13 AM
09-13-2018 02:35 AM
yes have
crypto ikev2 dpd 20 5 periodic
crypto ikev2 window 10
09-13-2018 04:17 AM
09-13-2018 03:02 PM
The DPD is global,
I have done an EEM script as below, that tracks an SLA across the VPN, so if Track state to down, the crypto map gets removed from the cellular interface, wait 4 minutes then put it back in. When I have done this manually it works, I am just waiting for the next occurence to see if the script works ok
event manager applet 4G-reset
event track 3 state down
action 001 cli command "enable"
action 002 cli command "config t"
action 003 cli command "interface cell 0"
action 004 cli command "no crypto map XXXX$q"
action 006 cli command "exit"
action 007 cli command "event manager applet track-timer"
action 008 cli command "event timer countdown time 240"
action 009 cli command "action 1.0 cli command enable"
action 010 cli command "action 2.0 cli command $q config t$q"
action 011 cli command "action 3.0 cli command $q int cell0$q"
action 012 cli command "action 4.0 cli command $q crypto map XXXX$q"
action 014 cli command "action 6.0 cli command $q no event manager applet track-timer$q"
action 015 cli command "action 7.0 cli command end"
action 016 cli command "end"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide