Re: IPSEC SA not re-establishing

gdavies · ‎09-29-2002

Hi All,

Got a curly one. I have a VPN based WAN with 827's and 801's at the remote sites (13 of em) with the 827's doing GRE tunneling over IPSEC via ADSL to a 2620XM. The 801's dial a 2620 with a PRI using dialer-watch if the ADSL goes down. Routing is all EIGRP and the 827 / 801 are running HSRP incase one of them pops. My problem is that I peridically have to "clear cry sa" on the remote routers in order to get the IPSEC sessions active again. It's like the SA is timing out but not then invoking IKE to re-establish the session. Any ideas ? Similar configs out there ? Thanks.

a-vazquez · ‎10-04-2002

You could set up 'crypto isakmp keepalive' commands on both sides so that if either side went down keepalives would be missed and tunnels would automatically delete after missing 3 keepalives (approx 45 seconds with default 15 keepalive interval).

gdavies · ‎10-04-2002

Thanks for your input, but I already have keepalives set. To explain a little further....

The remote sites are all using a "home" ADSL product with no static IP address, and so must initiate the IPSEC negotiation to the 2620 at the central site. The central site router is configured with dynamic maps. Perhaps if I include some configs, someone out there might see the problem. It may be related to some issues I had in getting the IPSEC to work in the first place. As is evidenced by ths configs, I have to bouce the traffic off a loopback for some reason. Anyway below is the edited config for one of the remotes and the central site. Any ideas would be appreciated. Thanks, Glenn.

Remote Site.

Using 2753 out of 131072 bytes

!

version 12.2

no parser cache

no service single-slot-reload-enable

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname mrc_rout_rt1

!

logging rate-limit console 10 except errors

enable secret

enable password

!

ip subnet-zero

ip name-server 192.168.41.1

!

ip ssh time-out 120

ip ssh authentication-retries 3

no ip dhcp-client network-discovery

!

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 28800

crypto isakmp key address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 60

!

crypto ipsec transform-set s8 esp-des

!

crypto map mrc local-address Dialer0

crypto map mrc 5 ipsec-isakmp

set peer

set transform-set s8

match address 120

!

interface Loopback0

ip address 192.168.249.1 255.255.255.0

crypto map mrc

!

interface Tunnel0

bandwidth 256

ip address 192.168.11.42 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.253.1

crypto map mrc

!

interface Ethernet0

ip address 192.168.42.9 255.255.255.0

ip nat inside

standby ip 192.168.42.10

standby priority 100

standby preempt

standby track AT0

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

crypto map mrc

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp chap hostname

ppp chap password

ppp timeout ncp 20

crypto map mrc

!

router eigrp 7739

network 192.168.11.0

network 192.168.42.0

default-metric 512 8 255 1 1500

no auto-summary

no eigrp log-neighbor-changes

!

ip nat inside source route-map nonat interface Dialer0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.168.253.1 255.255.255.255 Loopback0

no ip http server

!

access-list 105 deny ip 192.168.42.0 0.0.0.255 192.168.41.0 0.0.0.255

access-list 105 permit ip 192.168.42.0 0.0.0.255 any

access-list 120 permit ip host 192.168.249.1 host 192.168.253.1

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 105

!

snmp-server engineID local 800000090300000196A490C7

snmp-server community

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps rsvp

snmp-server enable traps entity

snmp-server enable traps syslog

snmp-server host

!

line con 0

stopbits 1

line vty 0 4

exec-timeout 0 0

password

login

!

scheduler max-task-time 5000

end

mrc_rout_rt1#

Central Site 2620;

Using 10320 out of 29688 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname s8_vpn_rout

!

logging buffered 4096 debugging

enable secret

enable password

!

memory-size iomem 10

ip subnet-zero

!

ip name-server 192.168.41.1

!

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 28800

crypto isakmp key address 0.0.0.0 0.0.0.0

crypto isakmp keepalive 60

!

crypto ipsec transform-set test esp-des

!

crypto dynamic-map pho 5

description dynamic map to phoenician

set transform-set test

match address 130

!

crypto dynamic-map equ 6

description dynamic map to equinox

set transform-set test

match address 135

!

crypto dynamic-map imp 7

description dynamic map to imperial surf

set transform-set test

match address 140

!

crypto dynamic-map mrc 8

description dynamic map to moroccan

set transform-set test

match address 145

!

crypto dynamic-map stp 9

description dynamic map to st. tropez

set transform-set test

match address 150

!

crypto dynamic-map ray 10

description dynamic map to rays

set transform-set test

match address 155

!

crypto dynamic-map alo 11

description dynamic map to aloha

set transform-set test

match address 160

!

crypto dynamic-map end 12

description dynamic map to enderley gardens

set transform-set test

match address 165

!

crypto dynamic-map arb 13

description dynamic map to aruba beach

set transform-set test

match address 170

!

crypto dynamic-map sir 14

description dynamic map to sirocco

set transform-set test

match address 175

!

crypto dynamic-map zan 15

description dynamic map to zanzibar

set transform-set test

match address 180

!

crypto dynamic-map spn 16

description dynamic map to south pacific noosa

set transform-set test

match address 185

!

crypto map fitbiz local-address Virtual-Template1

crypto map fitbiz 1 ipsec-isakmp

set peer

set transform-set test

match address 120

crypto map fitbiz 2 ipsec-isakmp dynamic pho

crypto map fitbiz 3 ipsec-isakmp dynamic equ

crypto map fitbiz 4 ipsec-isakmp dynamic imp

crypto map fitbiz 5 ipsec-isakmp dynamic mrc

crypto map fitbiz 6 ipsec-isakmp dynamic stp

crypto map fitbiz 7 ipsec-isakmp dynamic ray

crypto map fitbiz 8 ipsec-isakmp dynamic alo

crypto map fitbiz 9 ipsec-isakmp dynamic end

crypto map fitbiz 10 ipsec-isakmp dynamic arb

crypto map fitbiz 11 ipsec-isakmp dynamic sir

crypto map fitbiz 12 ipsec-isakmp dynamic zan

crypto map fitbiz 13 ipsec-isakmp dynamic spn

!

fax interface-type fax-mail

mta receive maximum-recipients 0

!

interface Loopback0

ip address 192.168.253.1 255.255.255.0

crypto map fitbiz

!

interface Tunnel0

description tunnel interface to fitbiz nmc

bandwidth 256

ip address 192.168.11.2 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.254.1

crypto map fitbiz

!

interface Tunnel1

description tunnel interface to phoenician

bandwidth 128

ip address 192.168.11.33 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.250.1

crypto map fitbiz

!

interface Tunnel2

description tunnel interface to equinox

bandwidth 128

ip address 192.168.11.37 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.248.1

crypto map fitbiz

!

interface Tunnel3

description tunnel interface to moroccan

bandwidth 128

ip address 192.168.11.41 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.249.1

crypto map fitbiz

!

interface Tunnel4

description tunnel interface to st. tropez

bandwidth 128

ip address 192.168.11.45 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.247.1

crypto map fitbiz

!

interface Tunnel5

description tunnel interface to aruba beach

bandwidth 128

ip address 192.168.11.49 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.246.1

crypto map fitbiz

!

interface Tunnel6

description tunnel interface to Imperial Surf

bandwidth 128

ip address 192.168.11.53 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.245.1

crypto map fitbiz

!

interface Tunnel7

description tunnel interface to enderley gardens

bandwidth 128

ip address 192.168.11.57 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.244.1

crypto map fitbiz

!

interface Tunnel8

description tunnel interface to rays

bandwidth 128

ip address 192.168.11.61 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.243.1

crypto map fitbiz

!

interface Tunnel9

description tunnel interface to aloha

bandwidth 128

ip address 192.168.11.65 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.242.1

crypto map fitbiz

!

interface Tunnel10

description tunnel interface to south pacific

bandwidth 128

ip address 192.168.11.69 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.241.1

crypto map fitbiz

!

interface Tunnel11

description tunnel interface to sirocco

bandwidth 128

ip address 192.168.11.73 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.239.1

crypto map fitbiz

!

interface Tunnel12

description tunnel interface to zanzibar

bandwidth 128

ip address 192.168.11.77 255.255.255.252

tunnel source Loopback0

tunnel destination 192.168.240.1

crypto map fitbiz

!

interface ATM0/0

no ip address

ip nat outside

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp Virtual-Template1

!

dsl operating-mode auto

no fair-queue

crypto map fitbiz

!

interface FastEthernet0/0

ip address 192.168.41.10 255.255.255.0

ip nat inside

no ip split-horizon

duplex auto

speed auto

!

interface ATM0/1

no ip address

ip nat outside

no atm ilmi-keepalive

pvc 8/35

encapsulation aal5mux ppp Virtual-Template1

!

dsl operating-mode auto

no fair-queue

crypto map fitbiz

!

interface Virtual-Template1

ip address

ip nat outside

ip tcp header-compression passive

ppp authentication chap callin optional

ppp chap hostname

ppp chap password

ppp direction callout

crypto map fitbiz

!

router eigrp 7739

network 192.168.11.0

network 192.168.41.0

no auto-summary

no eigrp log-neighbor-changes

!

ip nat pool extip netmask 255.255.255.248 type rotary

ip nat inside source route-map nonat pool extip overload

ip classless

ip route 0.0.0.0 0.0.0.0

no ip http server

ip pim bidir-enable

!

access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.10.0 0.0.0.25

access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.42.0 0.0.0.255

access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.43.0 0.0.0.255

access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.44.0 0.0.0.255

access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.45.0 0.0.0.255

access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.46.0 0.0.0.255

access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.47.0 0.0.0.255

access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.48.0 0.0.0.255

access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.49.0 0.0.0.255

access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.50.0 0.0.0.255

access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.51.0 0.0.0.255

access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.52.0 0.0.0.255

access-list 105 deny ip 192.168.41.0 0.0.0.255 192.168.53.0 0.0.0.255

access-list 105 permit ip 192.168.41.0 0.0.0.255 any

access-list 120 permit ip host 192.168.253.1 host 192.168.254.1

access-list 130 permit ip host 192.168.253.1 host 192.168.250.1

access-list 135 permit ip host 192.168.253.1 host 192.168.248.1

access-list 140 permit ip host 192.168.253.1 host 192.168.245.1

access-list 145 permit ip host 192.168.253.1 host 192.168.249.1

access-list 150 permit ip host 192.168.253.1 host 192.168.247.1

access-list 155 permit ip host 192.168.253.1 host 192.168.243.1

access-list 160 permit ip host 192.168.253.1 host 192.168.242.1

access-list 165 permit ip host 192.168.253.1 host 192.168.244.1

access-list 170 permit ip host 192.168.253.1 host 192.168.246.1

access-list 175 permit ip host 192.168.253.1 host 192.168.239.1

access-list 180 permit ip host 192.168.253.1 host 192.168.240.1

access-list 185 permit ip host 192.168.253.1 host 192.168.241.1

dialer-list 1 protocol ip permit

!

route-map nonat permit 10

match ip address 105

!

snmp-server community

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstar

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps hsrp

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps envmon

snmp-server enable traps bgp

snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-mess

ge

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps rsvp

snmp-server enable traps frame-relay

snmp-server enable traps rtr

snmp-server enable traps syslog

snmp-server enable traps dlsw

snmp-server enable traps dial

snmp-server enable traps dsp card-status

snmp-server enable traps pppoe

snmp-server enable traps ipmobile

snmp-server enable traps vtp

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps voice poor-qov

snmp-server enable traps dnis

snmp-server enable traps xgcp

snmp-server host

call rsvp-sync

!

mgcp profile default

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

exec-timeout 0 0

password

login

!

end

s8_vpn_rout#