Re: DMVPN - "UP-NO-IKE"

CHRISTOPHER YUEN · ‎03-24-2004

I have a DMVPN set up. Hub 3725 with 2691 spokes. Both running IOS 12.3(7)T.

When isakmp sa's expire (1 day), they're deleted and don't reestablish?! When I do a "sh cryp sess" I get a message "Session status: UP-NO-IKE".

Tunnel is up, and traffic is going through. Over the course of a few days, however, there are performance problems. For example, users no longer able to send any email message more than a few lines (Exchange server is at hub). Only fix so far has been to reboot router.

I thought that isakmp sa's are supposed to reestablish after expiration, as long as VPN is still active. Both lifetimes for isakmp and ipsec are 86400.

Thx!

drolemc · ‎03-30-2004

I was looking for bugs related to your problem but could not find any. Usually, rebooting seems to be the best way out when faced with issues like this. However, that is no guarantee that the issue will not crop up again. You could try to reduce the MTU to a value that is being allowed through in your setup. Another option would be to move back to a GD image.

wong.jason · ‎04-05-2004

I have the same thing when I use 12.3(6), all the isakmp sa don't re-establish after they expire. I had to revert back to 12.2(15)T.

CHRISTOPHER YUEN · ‎04-05-2004

Did your VPN tunnel come down totally though? Even if I don't have the isakmp sa's, the tunnel is still up and working. Once IPSec sa's expire and renegotiate, so do the isakmp sa's.

TAC engineer told me that was ok/normal.