Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
813
Views
0
Helpful
1
Replies

DMVPN tunnel goes down and would have to clear isakmp sa for it to come back up.

Samuel
Level 1
Level 1

ā€Ž05-15-2019 08:12 AM - edited ā€Ž02-21-2020 09:39 PM

Hi guys Ive been noticing that my DMVPN setup has been having intermittent issues with sites  that are in transport mode.Every now and then I would have a site go down and would have to clear the isakmp sa session for it to come back up again. I have isakmp periodic keepalives configured and when I show my ISAKMP sa it shows multiple duplicate security associations. Can someone help?

 

My hub router is a ISR 4431 running version Version 15.5(3)S4b.

my spokes are ISR 2921 running version Version 15.5(3)M7

 

Below is the output of the show crypto isakmp sa with the duplicate sessions:

192.168.100.2 200.32.X.X QM_IDLE 1012 ACTIVE
192.168.100.2 200.32.X.X QM_IDLE 1010 ACTIVE
200.32.X.X 192.168.100.2 QM_IDLE 1013 ACTIVE
200.32.X.X 192.168.100.2 QM_IDLE 1011 ACTIVE

 

Ive noticed that my sites that are not using port forwarding aren't having this issue.

 

 

Labels:
0 Helpful
1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

ā€Ž05-15-2019 08:31 AM

Since we do not what is the hardware and IOs code you running and your high level network diagram to suggest what is wrong.

 

here is basic steps i can suggest to mitigate the issue (it would be nice if you can provide basic information and config to suggest better)

 

https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-troubleshoot-00.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents