Crypto session need to be cleared every time the ISP's links and uplink routes gets flap

mhrznamn · ‎02-02-2018

I am facing issue with crypto session on my 4331 ISR Router.

Whenever the ISP internet routes get flap , i need to clear crypto session to make interesting traffic flow.

However some of the remote private subnets are reachable at the same time and some are causing issue.

shwo crypto Isakmp sa ,shows new as well as old sessions at the time of issue and show crypto session shows fine result.

Old ISAKMP sa sessions are not deleted until clear command is used.

Show crypto session:

Interface: GigabitEthernet0/0/0 GigabitEthernet0/0/1
Session status: UP-NO-IKE
Peer: 206.XXX.XXX.XXX port 4500
IPSEC FLOW: permit ip 172.27.168.0/255.255.252.0 10.165.165.0/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip 172.27.168.0/255.255.252.0 10.48.0.0/255.248.0.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 172.27.168.0/255.255.252.0 10.56.0.0/255.248.0.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 172.27.168.0/255.255.252.0 10.88.0.0/255.248.0.0
Active SAs: 2, origin: crypto map
IPSEC FLOW: permit ip 172.27.168.0/255.255.252.0 10.65.1.0/255.255.255.0
Active SAs: 2, origin: crypto map

Rob Ingram · ‎02-03-2018

Hi,

Do you have DPD (dead peer detection) configured?

Do you control both ends of the tunnel?

Could you share you configuration please?

mhrznamn · ‎02-03-2018

No i haven't configure DPD.

And I have control of only my end .

What is DPD?

Mohammed al Baqari · ‎02-04-2018

Can you share your topology for have better understanding?

When the ISP routes returns back, what are you seeing in traceroute.

mhrznamn · ‎02-04-2018

We have BGP peering with two ISP's (ISP A and ISP B). Both the ISP's are connected on a same border Router on different interface. Both ISP are directly connected.

We are receiving default-routes from both the ISP's. We have advertised our IP prefix to both the ISP's (103.XX.XX.XX/24) . We have configured route-map and called in bgp neighbor to make ISP A as primary.

interface gig 0/0/0

des. ISP A

ip address xxx.xxx.xxx

interface gig 0/0/1

des. ISP B

ip address xxx.xxx.xxx

route-map ISPB-in permit 10
set local-preference 80

route-map ISPB-out permit 10
set as-path prepend 132407 132407 132407 132407

Above route map has been called to bgp neighbor with ISP B, to make ISP B secondary

Our HQ is located at Remote Location and we do IPsec VPN with our HQ.

VPN Configuration:

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key xxxxxx address 206.xxx.xxx.xxx
crypto isakmp key xxxxxxx address 192.3xx.xxx.xxx
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set test esp-aes 256 esp-sha-hmac
mode tunnel
!
crypto map VPN_MAP local-address Loopback1
crypto map VPN_MAP 10 ipsec-isakmp
set peer 206.xxx.xxx.xxx
set transform-set test
match address INTERESTING_VPN
crypto map VPN_MAP 20 ipsec-isakmp
set peer 192.3xx.xxx.xxx
set transform-set test
match address INTERESTING_VPN_2

..............................

interface Loopback1

des. IP for VPN
ip address 103.xxx.xxx.xxx 255.255.255.128 ( IP used for VPN/ Source IP for VPN )
ip nat outside

interface gig 0/0/0

des. ISP A

ip address xxx.xxx.xxx

ip nat outside

crypto map VPN_MAP

interface gig 0/0/1

des. ISP B

ip address xxx.xxx.xxx

ip nat outside

crypto map VPN_MAP

interface Vlan10
ip address 103.xxx.xxx.xxx 255.255.255.128
!

interface Vlan130
ip address 10.10.10.1 255.255.255.252
ip nat inside
!

ip nat inside source list NAT_EXCLUDE interface Vlan10 overload

ip access-list extended INTERESTING_VPN
permit ip 172.27.168.0 0.0.3.255 10.48.0.0 0.7.255.255

ip access-list extended INTERESTING_VPN_2
permit ip 172.27.168.0 0.0.3.255 172.23.0.0 0.0.255.255

ip access-list extended NAT_EXCLUDE
deny ip 172.27.168.0 0.0.3.255 10.48.0.0 0.7.255.255

deny ip 172.27.168.0 0.0.3.255 172.23.0.0 0.0.255.255

permit ip 172.27.168.0 0.0.3.255 any