Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3151
Views
0
Helpful
2
Replies

crypto isakmp invalid-spi-recovery

Ruterford
Level 1
Level 1

‎03-15-2012 09:59 AM

Hi All,

I have an ISR with live lan2lan VPN tunnels and traffic on it.

The first question is if  "crypto isakmp invalid-spi-recovery" can be enabled on the chassis with no harm to the live VPN tunnels.

The second question is if "crypto isakmp invalid-spi-recovery' is enabled only at one end of the VPN tunnel, will it prevent somehow VPN tunnel from forming SAs? (I do not have access to the remote VPN endpoints and some of them actually run non-IOS appliances like ASA).

Thanks!

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-16-2012 05:14 AM

the command you're listing is recovery mechanism in case two sides of the tunnel get unsynchronized.

It will send a delete to remote (static) peer if we detect that said peer is sending us packets with SPIs we do not have.

This should cause another round of negotiations to form new SAs.

0 Helpful

Ruterford
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-16-2012 08:05 AM

Marcin,

thank for the explanation.

But actually my first question is:

1. If I can issue this command on the live environment, where I have multiple live L2L VPN tunnels. Will it kill the live VPN tunnels or make them renegotiate?

My second question is:

2. If I enable it on my end, and the other end either does not support it or does not have it on the configuration of their firewall or router, will it prevent establishing VPN tunnels? I.e. can this command be used on one end only?

0 Helpful
Customers Also Viewed These Support Documents