10-21-2020 05:02 AM
Hello Everyone:
I have an occasional problem where the link goes down, meaning, pings and any other traffic can no longer traverse the tunnel and the tunnel still shows up as active in the "sh crypto sessions" list.
If I manually clear it with a "clear crypto session remote a.c.b.d", a new tunnel is immediately brought up and traffic starts flowing again.
I have DPD setup as follows:
crypto ikev2 profile SOIprofile
match identity remote key-id CORS7
match identity remote key-id CORS8
match identity remote key-id CORS9
.
.
identity local key-id CCrouter
authentication remote pre-share
authentication local pre-share key thisismykey
keyring local SOIkeyring
lifetime 14400
dpd 30 2 periodic
!
The dpd should time out and the SA get dumped when the tunnel is not functioning but at times its not doing that.
I can see those dpd messages on the Digi so I know they are being sent.
It could be that I not understand exactly how dpd is supposed to work with ikev2.
I think I am missing something. Does anyone know what this is not working the way I think it should?
Cheers,
john
10-21-2020 05:18 AM
check this thread may help you :
10-21-2020 05:25 AM
Why you suspect it DPD in this peer ?
When tunnel not pass traffic do you check the other peer,
May be the other peer need DPD not this peer.
10-21-2020 05:59 AM
Good point.
I will try and look into that but those are remote instrumentation sites so its not so easy.....and of course, I can never get one in the lab or workshop to act like this......only when they're deployed in the bush does this happen.
Clearing the tunnel from the Cisco end solves it so I suspected the Cisco.
I will look into this more.
Cheers,
john
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide