09-12-2018 06:32 PM
WE have multiple sites running 4G dynamic VPNs from 897 routers to ASA 5525x FW, occasionally some sites get in a state where the tunnel fails and when we do a " sh Crypto ikev2 sa" you see multiple IN-NEG messages as below.
The only way we can fix this is to shut the Cellular interface down for a few minutes, when brought back up the tunnel reestablishes ok
Is there a fix for this problem?
Tunnel-id Local Remote fvrf/ivrf Status
4 10.98.75.43/4500 xx.xx.xx.xx/4500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:20, Auth sign: PSK, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec
Tunnel-id Local Remote fvrf/ivrf Status
3 10.98.75.43/4500 xx.xx.xx.xx/4500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:20, Auth sign: PSK, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec
Tunnel-id Local Remote fvrf/ivrf Status
1 10.98.75.43/4500 xx.xx.xx.xx/4500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:20, Auth sign: PSK, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec
Tunnel-id Local Remote fvrf/ivrf Status
6 10.98.75.43/4500 xx.xx.xx.xx/4500 none/none IN-NEG
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:20, Auth sign: PSK, Auth verify: Unknown - 0
Life/Active Time: 86400/0 sec
09-13-2018 01:13 AM
09-13-2018 02:35 AM
yes have
crypto ikev2 dpd 20 5 periodic
crypto ikev2 window 10
09-13-2018 04:17 AM
09-13-2018 03:02 PM
The DPD is global,
I have done an EEM script as below, that tracks an SLA across the VPN, so if Track state to down, the crypto map gets removed from the cellular interface, wait 4 minutes then put it back in. When I have done this manually it works, I am just waiting for the next occurence to see if the script works ok
event manager applet 4G-reset
event track 3 state down
action 001 cli command "enable"
action 002 cli command "config t"
action 003 cli command "interface cell 0"
action 004 cli command "no crypto map XXXX$q"
action 006 cli command "exit"
action 007 cli command "event manager applet track-timer"
action 008 cli command "event timer countdown time 240"
action 009 cli command "action 1.0 cli command enable"
action 010 cli command "action 2.0 cli command $q config t$q"
action 011 cli command "action 3.0 cli command $q int cell0$q"
action 012 cli command "action 4.0 cli command $q crypto map XXXX$q"
action 014 cli command "action 6.0 cli command $q no event manager applet track-timer$q"
action 015 cli command "action 7.0 cli command end"
action 016 cli command "end"
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: