Does Crypto call admission control only apply to dynamic SAs?

nasir · ‎03-13-2013

Hi,

In my DMVPN phase 2 implementation, I have implemented crypto call admission control for IKE SAs on my spokes. This limit is set to 20 which is enough for my network.

I have three hubs per region and site-to-site connectivity is only enabled on one of these routers.(hub 3). hub 1 & 2 only provide connectivity to other resources outside the DMVPN.

If the IKE SA limit is reached on a spoke and there are other IKE requests which are being rejected - and let's say my hub1 goes down or the spoke just loses the tunnel.

Before the tunnels to the hub1 is recovered, the spoke accepts the IKE requests which it was previously rejecting and again the IKE SA limit is reached. Now the hub1 are back on line – it will not be able to establish a tunnel ,right?

If over a period of time the same thing happens with my hub2 then my spoke gets a bit isolated, right?

The hubs have static IKE policy (unique PSKs) while the site-to-site tunnels are dynamic.

In other words, does the crypto call admission limit apply only to dynamic crypto sessions or to all crypto sessions?

I think the former. In that case, can a priority be configured for the static IKE SAs over the dynamic ones?

Kind regards

Nasir

Marcin Latosiewicz · ‎03-14-2013

Nasir,

There should not be a differentiator for CAC between static and dynamic. It counts overall IKE and IKE in-negotiations SAs. IKE doesn't necessarily need to know whether session is static or dynamic...

http://www.cisco.com/en/US/docs/ios-xml/ios/security/a1/sec-cr-c3.html#GUID-84CA3908-A3C5-43E5-B8B5-0DED44EAEEC4

You're right this is midleading, I'm going to get in touch with documentation team to make this a bit more explicit.

M.