In my DMVPN phase 2 implementation, I have implemented crypto call admission control for IKE SAs on my spokes. This limit is set to 20 which is enough for my network.
I have three hubs per region and site-to-site connectivity is only enabled on one of these routers.(hub 3). hub 1 & 2 only provide connectivity to other resources outside the DMVPN.
If the IKE SA limit is reached on a spoke and there are other IKE requests which are being rejected - and let's say my hub1 goes down or the spoke just loses the tunnel.
Before the tunnels to the hub1 is recovered, the spoke accepts the IKE requests which it was previously rejecting and again the IKE SA limit is reached. Now the hub1 are back on line – it will not be able to establish a tunnel ,right?
If over a period of time the same thing happens with my hub2 then my spoke gets a bit isolated, right?
The hubs have static IKE policy (unique PSKs) while the site-to-site tunnels are dynamic.
In other words, does the crypto call admission limit apply only to dynamic crypto sessions or to all crypto sessions?
I think the former. In that case, can a priority be configured for the static IKE SAs over the dynamic ones?