NAT problem, upgrade the

acleri · ‎02-18-2014

Hi,

we configured a flexvpn solution.

hub is a isr4451 and spokes are cisco 819 with cellular modem interface.

Solution is running fine but the ipsec tunnel sometimes are going up down this even if the ip on the cellular interface did not change (ip is dynamic).

We use vrf and we configure 1x tunnel ipsec for each vrf, we notice that the tunnel are not going down all togheter but only once a time so the problem should related to the ipsec part.

we notice that sometimes on the log we get a %CRYPTO-4-RECVD_PKT_INV_SPI error and we set the "crypto isakmp invalid-spi-recovery" command but nothing change.

any idea what could be the cause?

thank you.

andy

hub:

Cisco IOS XE Software, Version 03.11.00.S - Standard Support Release

Cisco IOS Software, ISR4400 Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.4(1)S, RELEASE SOFTWARE (fc2)

spoke:

Cisco IOS Software, C800 Software (C800-UNIVERSALK9-M), Version 15.2(4)M4, RELEASE SOFTWARE (fc2)

Cisco C819HG+7-K9 (revision 3.0) with 492620K/31667K bytes of memory.

logs on hub:

*Feb 18 06:45:09.878: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access8, changed state to down

*Feb 18 06:45:09.878: %LINK-3-UPDOWN: Interface Virtual-Access8, changed state to down

*Feb 18 06:45:09.880: %DUAL-5-NBRCHANGE: EIGRP-IPv4 30: Neighbor 192.168.48.230 (Virtual-Access8) is down: interface down

*Feb 18 06:45:21.454: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access12, changed state to down

*Feb 18 06:45:21.458: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access12, changed state to up

*Feb 18 06:45:21.535: %DUAL-5-NBRCHANGE: EIGRP-IPv4 30: Neighbor 192.168.48.232 (Virtual-Access12) is up: new adjacency

*Feb 18 07:24:45.484: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down

*Feb 18 07:24:45.484: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down

*Feb 18 07:24:45.486: %DUAL-5-NBRCHANGE: EIGRP-IPv4 30: Neighbor 192.168.48.231 (Virtual-Access3) is down: interface down

*Feb 18 07:25:03.623: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to down

*Feb 18 07:25:03.627: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access4, changed state to up

*Feb 18 07:25:07.959: %DUAL-5-NBRCHANGE: EIGRP-IPv4 30: Neighbor 192.168.48.122 (Virtual-Access4) is up: new adjacency

*Feb 18 08:32:49.485: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=1.1.1.1, prot=50, spi=0xA4B208EF(2763131119), srcaddr=2.2.2.2, input interface=Virtual-Access9

*Feb 18 08:32:49.493: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access9, changed state to down

*Feb 18 08:32:49.494: %LINK-3-UPDOWN: Interface Virtual-Access9, changed state to down

*Feb 18 08:32:49.496: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.16.215 (Virtual-Access9) is down: interface down

*Feb 18 08:33:21.093: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to down

*Feb 18 08:33:21.097: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up

*Feb 18 08:33:21.164: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 192.168.16.216 (Virtual-Access2) is up: new adjacency

ipsec hub configuration:

rypto ikev2 name-mangler extract-host

fqdn hostname

!

crypto ikev2 authorization policy XXX

pool FlexSpokes-XXX

route set interface

!

crypto ikev2 keyring Flex_key

peer Spokes

address 0.0.0.0 0.0.0.0

!

crypto ikev2 profile Flex_IKEv2_XXX

match identity remote fqdn domain XXX.tst

identity local fqdn HSRPHub.XXX.tst

authentication remote pre-share

authentication local pre-share

keyring aaa IPSEC-AUTHOR name-mangler extract-host

dpd 10 5 periodic

aaa authorization group psk list default XXX

virtual-template 1

!

crypto isakmp invalid-spi-recovery

!

crypto ipsec transform-set IKEv2 esp-gcm

mode transport

!

crypto ipsec profile XXX

set transform-set IKEv2

set ikev2-profile Flex_IKEv2_XXX

!

interface Virtual-Template1 type tunnel

ip vrf forwarding XXX

ip unnumbered Loopback1

tunnel path-mtu-discovery

tunnel protection ipsec profile XXX

ipsec spoke configuration:

crypto ikev2 keyring Flex_key

peer Hub

address 1.1.1.0 255.255.255.240

pre-shared-key local 6 KTLaFEBaWUJ]BD[dNEMJi[Qe^STPTaYbdbAQ_BUTa^

pre-shared-key remote 6 bagLVQWEK^HA`R]XHUVa]gNdECUDIRdOAVCHLLgBECAAB

!

crypto ikev2 profile Flex_IKEv2_XXX

match identity remote fqdn domain XXX.tst

identity local fqdn YYY.XXX.tst

authentication remote pre-share

authentication local pre-share

keyring local Flex_key

dpd 10 5 periodic

aaa authorization group psk list default default

!

crypto isakmp invalid-spi-recovery

!

crypto ipsec transform-set IKEv2 esp-gcm

mode transport

!

crypto ipsec profile XXX

set transform-set IKEv2

set ikev2-profile Flex_IKEv2_XXX

no crypto ipsec profile default

interface Tunnel1

ip vrf forwarding XXX

ip address negotiated

ip mtu 1400

ip tcp adjust-mss 1360

tunnel source Cellular0

tunnel destination 1.1.1.1

tunnel path-mtu-discovery

tunnel protection ipsec profile XXX

!

interface Cellular0

ip address negotiated

ip access-group WAN_ACCESS in

ip nat outside

ip virtual-reassembly in

encapsulation slip

dialer in-band

dialer idle-timeout 0

dialer string hspa-R7

dialer-group 1

async mode interactive

Marcin Latosiewicz · ‎02-19-2014

Andy,

*At a glance* config looks fine.

Enable "crypto logging session" (both sides) so we can have a bit more informaiton.

This might come down to enabling debugs, I'm not personally aware of anything in 15.4S that would match this behavior, but you might want to open a TAC case. That should be the easier way.

The information we need to know is when a peer is going down and what is the reason and is it regular or not (i.e. does it happen at IPsec SA expiry or somesuch).

M.

Oleg Abankin · ‎06-30-2014

Hello,

I have similar problem, but with DMVPN + IPSEC (ikev1).

Did you solve your problem?

Thanks,

Oleg

acleri · ‎06-30-2014

NAT problem, upgrade the spokes the latest IOS.

flexvpn - tunnel inconsistency