cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1543
Views
0
Helpful
8
Replies

Crypto IPSEC tunnel issue

chinmay.talati
Level 1
Level 1

We have one of the spoke sites which is having a VPN connection to the Hub Site. It has Crypto IPSEC tunnel configured. The problem is when the internet connection goes down from ISP side, and when it come up the IPSEC tunnel is not able to re-initiate automatically. We need to reboot router and modem (Provided by ISP). Then only it starts initiating session with remote peer.We have DSL connection provided by ISP. It goes down frequently and after coming UP the VPN connection is not getting recover. Is this issue related to any H/W model or IOS?

8 Replies 8

Farrukh Haroon
VIP Alumni
VIP Alumni

You could try to enable 'crypto isakmp keepalives' and see if they help.

Regards

Farrukh

Thanks Farrukh for reply. We have already configured crypto isakmp keepalives 10. But it didnt solve our problem

You could try configuring the Invalid SPI recovery feature, maybe it can solve your issue.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html

Regards

Farrukh

Thanks Farukh for your suggestion. I have enabled the Invalid spi recovery feature in on the crypto map but no luck. Any other suggestions please?

Do you properly get the IP address on your dailer interface after the ISP connection comes back? Have you enabled SPI recovery and keepalives on both tunnel end-points?

Regards

Farrukh

When internet gets diconnected the IPSec SA status gets change to MM_NO_STATES. It should change to QM_IDLE or active automatically when the internet recovered. But it is not getting changed. We need to reboot router and then only it gets connected I have configured keep alives on both the site. I will enable SPI recovery on the hub site also and check and let you know. Thanks for reply

Also if possible try to upgrade the IOS to the latest version in that major release. What IOS are you running by the way? (On both sides)

Regards

Farrukh

We are using 12.3 T8 version on the both side.

Regards,

Chinmay