cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1069
Views
0
Helpful
1
Replies

Adding new peer without removing cmap from interface.

nellson
Level 1
Level 1

I have a frustrating issue with a dynamic VPN head end running IOS 15.2 on 2900's. I have existing keyrings, and isakmp profiles (both main and agressive) running. When I add in a new peer, by adding in a keyring prechared statement and a match identity in the isakmp profile, phase 1 biulds but phase 2 only gets right to the end and the Cisco side resets the connection because it did not get back a response to it's Phase 2 proposal.

I have tried a number of soft clear commands to remedy this (I do have 16 other production tunnels I do not want to take down) and no avail. This is very consistent. We had this happen last week in the same manner, and the TAC finally said I must reboot the system. So I removed the cmap from the interface, and reapplied it (using notepad to do it all at once). All the tunnels dropped, and after a few manual restarts on the far end for thos etunnels that are tempermental, all tunnels came back up, including my new add.

I have a pair of 3900's running 15.1 code in the US that terminate the same tunnels, and I can add and remove PEERS all day long without resetting anything. Has anyone one encountered this before? Could there be a more polite way of resetting what ever it is that removing the CMAP does to allow my new peer to get the full treatment here?

(I am not asking for VPN peer config help, as I know this tunnel template I am using works, but if you want to see it)

Nick

crypto pki token default removal timeout 0

crypto keyring Site-to-Site 

  pre-shared-key address a.a.a.a key lkdshjfhjkdsfkjfsjkddedswdes

  pre-shared-key address b.b.b.b key lkdshjfhjkdsfkjfsjkddedswdes

  pre-shared-key address c.c.c.c key lkdshjfhjkdsfkjfsjkddedswdes

  pre-shared-key address d.d.d.d key lkdshjfhjkdsfkjfsjkddedswdes <- old sonicwall VPN KEY

  pre-shared-key hostname BOB key lkdshjfhjkdsfkjfsjkddedswdes

  pre-shared-key hostname BILL key lkdshjfhjkdsfkjfsjkddedswdes

  pre-shared-key hostname JILL key lkdshjfhjkdsfkjfsjkddedswdes

crypto keyring Site-to-Site_PAN 

  description Keyring used for AES256 Palo Alto config, using IP's

  pre-shared-key address e.e.e.e key uiopadsbfjkahfga;lkdj

  pre-shared-key address f.f.f.f key uiopadsbfjkahfga;lkdj

  pre-shared-key address d.d.d.d key uiopadsbfjkahfga;lkdj <- my new add for Palo

crypto isakmp policy 5

encr aes 256

hash sha256

authentication pre-share

group 2

lifetime 28800

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

lifetime 28800

crypto isakmp policy 20

encr aes 256

authentication pre-share

group 2

lifetime 28800

crypto isakmp policy 30

encr aes

authentication pre-share

group 2

lifetime 28800

crypto isakmp invalid-spi-recovery

crypto isakmp keepalive 60 3 periodic

crypto isakmp nat keepalive 20

crypto isakmp profile Site-to-Site-Main

   keyring Site-to-Site

   self-identity user-fqdn ASIA

   match identity address a.a.a.a 255.255.255.255

   match identity address b.b.b.b 255.255.255.255

   match identity address c.c.c.c 255.255.255.255

   (Removed SonicWall peer match for d.d.d.d)

   keepalive 60 retry 3

crypto isakmp profile Site-to-Site-Aggressive

   keyring Site-to-Site

   self-identity user-fqdn ASIA

   match identity user-fqdn BOB

   match identity user-fqdn BILL

   match identity user-fqdn JILL

   keepalive 60 retry 3

   initiate mode aggressive

crypto isakmp profile Site-to-Site-Aggressive_PAN

   keyring Site-to-Site_PAN

   self-identity address

   match identity address e.e.e.e 255.255.255.255

   match identity address f.f.f.f 255.255.255.255

   match identity address d.d.d.d 255.255.255.255 <- My new add

   keepalive 10 retry 3

   initiate mode aggressive

crypto ipsec transform-set CSC-TS1 esp-3des esp-sha-hmac

crypto ipsec transform-set CSC-TS2 esp-aes 256 esp-sha-hmac

crypto ipsec transform-set CSC-TS3 esp-des esp-md5-hmac

crypto ipsec transform-set CSC-TS4 esp-aes esp-sha-hmac

crypto ipsec transform-set CSC-TS5 esp-aes 256 esp-sha256-hmac

crypto dynamic-map CSC-DMAP 5

set security-association lifetime kilobytes disable

set security-association lifetime seconds 28800

set transform-set CSC-TS5

set reverse-route distance 240

set reverse-route tag 240

set isakmp-profile Site-to-Site-Aggressive_PAN

reverse-route

crypto dynamic-map CSC-DMAP 10

set security-association lifetime kilobytes disable

set security-association lifetime seconds 28800

set transform-set CSC-TS1 CSC-TS2 CSC-TS3 CSC-TS4

set reverse-route distance 240

set reverse-route tag 240

set isakmp-profile Site-to-Site-Aggressive

reverse-route

crypto dynamic-map CSC-DMAP 20

set security-association lifetime kilobytes disable

set security-association lifetime seconds 28800

set transform-set CSC-TS1 CSC-TS2 CSC-TS3 CSC-TS4

set reverse-route distance 240

set reverse-route tag 240

set isakmp-profile Site-to-Site-Main

reverse-route

crypto map CSC-CMAP 20 ipsec-isakmp dynamic CSC-DMAP

interface G0/0

crypto map CSC-CMAP redundancy dmzvpn <-- I just negate this and re-add and new peers start working.

1 Reply 1

nellson
Level 1
Level 1

This is where the connection sits...

show crypto session detail

Interface: GigabitEthernet0/0

Profile: Site-to-Site-Aggressive_PAN

Session status: UP-IDLE

Peer: d.d.d.d port 4500 fvrf: (none) ivrf: (none)

      Phase1_id: d.d.d.d

      Desc: (none)

  IKEv1 SA: local 192.168.221.2/4500 remote d.d.d.d/4500 Active

          Capabilities:DN connid:1473 lifetime:07:31:02