03-15-2012 09:59 AM
Hi All,
I have an ISR with live lan2lan VPN tunnels and traffic on it.
The first question is if "crypto isakmp invalid-spi-recovery" can be enabled on the chassis with no harm to the live VPN tunnels.
The second question is if "crypto isakmp invalid-spi-recovery' is enabled only at one end of the VPN tunnel, will it prevent somehow VPN tunnel from forming SAs? (I do not have access to the remote VPN endpoints and some of them actually run non-IOS appliances like ASA).
Thanks!
03-16-2012 05:14 AM
the command you're listing is recovery mechanism in case two sides of the tunnel get unsynchronized.
It will send a delete to remote (static) peer if we detect that said peer is sending us packets with SPIs we do not have.
This should cause another round of negotiations to form new SAs.
03-16-2012 08:05 AM
Marcin,
thank for the explanation.
But actually my first question is:
1. If I can issue this command on the live environment, where I have multiple live L2L VPN tunnels. Will it kill the live VPN tunnels or make them renegotiate?
My second question is:
2. If I enable it on my end, and the other end either does not support it or does not have it on the configuration of their firewall or router, will it prevent establishing VPN tunnels? I.e. can this command be used on one end only?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide