Re: Cisco and HP router IPsec issue

Kamran Mustafayev · ‎09-17-2024

Hello,

We have Cisco and HP router forming IPsec tunnel, we can see traffic flowing, but it happens that traffic stuck in IPsec, however ISAKMP and Tunnel is UP

Attached my configuration on Cisco and HP side, I will also post errors below from debug on Cisco side:

------------------------------------------------------------

When IPsec stuck, on Cisco side I can see some logs, attached them as well

To fix the issue I have to run clear commands each time:

clear crypto isakmp

clear crypto session

-------------

Anyone has any idea?

Thank you.

Rob Ingram · ‎09-17-2024

@Kamran Mustafayev the HP router has SA lifetime duration configured of 3600 seconds, but the cisco router does not. Mismatched lifetime timers result in VPN stops functioning when one site's lifetime expires. Align the timers on both sides, example cisco commands:

crypto isakmp policy 10
 lifetime <value> 
!crypto map IPsec_MAP 10 ipsec-isakmp
 set security-association lifetime seconds {seconds}

Kamran Mustafayev · ‎09-17-2024

Will try that out and will update you soon

MHM Cisco World · ‎09-17-2024

local: 10.2.47.0/24, remote: 0.0.0.0/0,

Why remote is 0.0.0.0/0

Check if HP use policy or route based VPN

MHM

Kamran Mustafayev · ‎09-17-2024

I think it’s because of ACL that are attached to crypto maps, they are “any” to “destination” and “destination” to “any” on another side

MHM Cisco World · ‎09-17-2024

Can I see

Show crypto isakmp sa

Show crypto ipsec sa

MHM