IKEV2 DPD, ISR4431 to Digi WR21

john-serink · ‎10-21-2020

Hello Everyone:

I have an occasional problem where the link goes down, meaning, pings and any other traffic can no longer traverse the tunnel and the tunnel still shows up as active in the "sh crypto sessions" list.

If I manually clear it with a "clear crypto session remote a.c.b.d", a new tunnel is immediately brought up and traffic starts flowing again.

I have DPD setup as follows:

crypto ikev2 profile SOIprofile
match identity remote key-id CORS7
match identity remote key-id CORS8
match identity remote key-id CORS9

.

identity local key-id CCrouter
authentication remote pre-share
authentication local pre-share key thisismykey
keyring local SOIkeyring
lifetime 14400
dpd 30 2 periodic
!

The dpd should time out and the SA get dumped when the tunnel is not functioning but at times its not doing that.

I can see those dpd messages on the Digi so I know they are being sent.

It could be that I not understand exactly how dpd is supposed to work with ikev2.

I think I am missing something. Does anyone know what this is not working the way I think it should?

Cheers,

john

balaji.bandi · ‎10-21-2020

check this thread may help you :

https://community.cisco.com/t5/vpn/isr4431-and-dig-wr21-router-using-ikev2-anomalies-solved/m-p/4167546

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎10-21-2020

Why you suspect it DPD in this peer ?

When tunnel not pass traffic do you check the other peer,

May be the other peer need DPD not this peer.

john-serink · ‎10-21-2020

Good point.

I will try and look into that but those are remote instrumentation sites so its not so easy.....and of course, I can never get one in the lab or workshop to act like this......only when they're deployed in the bush does this happen.

Clearing the tunnel from the Cisco end solves it so I suspected the Cisco.

I will look into this more.

Cheers,

john