Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
5
Replies

IPSec tunnel stucks in the random period of time untill reboot or reenabling crypto map on the Interface

antonkim88
Level 1
Level 1

‎06-17-2016 10:24 AM - edited ‎02-21-2020 08:51 PM

Dear Experts,

We have 2821 Cisco Router with the following Software (C2800NM-ADVIPSERVICESK9-M), Version 15.1(4)M8, RELEASE SOFTWARE (fc2).

We have IPSec tunnel configured between our site and remote peer in Germany. IPsec tunnel is used for Intranet and we are also using NAT for accessing Public Internet.  It was working perfect for years. But recently we faced with the following issue:

After random period of time (once a day or once in 2 days) IPsec tunnel stucks and no traffic is comming in\out inside this tunnel ( no access to Intranet, local resources), at the same time NAT is still working and we can use Public Internet without problems.

I did sh crypto isakmp sa

dst src state conn-id status
111.111.111.1 222.222.222.1 QM_IDLE 1009 ACTIVE

sh crypto isakmp sa details

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

1009 222.222.222.1 111.111.111.1 ACTIVE 3des sha psk 2 19:47:28
Engine-id:Conn-id = SW:9

IPv6 Crypto ISAKMP SA

I see that tunnel is UP and Active but traffic for this tunnel doesn't go anymore....

The only workaround for me is to remove crypto map statement from g0/0 interface (which is source Peer interface) and to add crypto map statement back, after that SA is established and everything is backing to normal. Or router reboot helps either. But in ~24-48+- hours this happens again....Even in night time or early morning....

I thought that it's hardware related issue, but replacing my 2821 with the same spare router 2821 - didn't help...So I am excluding hardware related root cause. I tried older IOS (c2800nm-advipservicesk9-mz.124-15.T12.bin) - nothing changed...

I tried to reset the tunnel with clear crypto sa and clear crypto session, but it doesn't help at all...Only no crypto map my_map on the interface fixes this issue. I am totally frustrated...

What can be the root cause and where should I look or search the permanent solution? Please advise. Maybe you faced the same problem...

Labels:
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎06-17-2016 11:22 PM

My personal guess is an SPI mis-match between the two peers.  Try enabling isakmp keepalive (on both ends) to resolve the issue.

I also note that 15.1.4M10 is available for the 2821, are you are still on maintenance release 8, so I would do a software upgrade.

And the last desperation option I would do is change from using IKEv1 (like above) to IKEv2, as IKEv2 resolved a lot of issues.

0 Helpful

antonkim88
Level 1
Level 1
In response to Philip D'Ath

‎06-17-2016 11:58 PM

Hi,

Thanks for your response. I will try to apply your recommendations.

But anyway I don't understand, why this was working fine for years and only now this problem occured....

And last questions how to change from using IKEv1  to IKEv2? I am sorry, but I am not expert in WAN\IPSec tecnologies :(

0 Helpful

Philip D'Ath
VIP Alumni
VIP Alumni
In response to antonkim88

‎06-17-2016 11:59 PM

Try the software upgrade first.  Re-configuring both ends for IKEv2 is a much bigger job.

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎06-17-2016 11:30 PM

Hi,

Can you try configuring this command and check if it helps:

crypto isakmp invalid-spi-recovery

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

antonkim88
Level 1
Level 1
In response to Aditya Ganjoo

‎06-17-2016 11:54 PM

Hi, Thanks for response..

This commang is already configured on my Router from the beginning...

crypto isakmp invalid-spi-recovery

0 Helpful
Customers Also Viewed These Support Documents