Showing results for 
Search instead for 
Did you mean: 

Issue with Cisco IOS XE on ISR4331 with IPSEC vrf aware setup

Level 1
Level 1

Hi all,

This is my all time first post here. Sorry for my bad English, it is not my native language. But i hope everything is understandable.

I am at the moment banging my head on the table so to speak due to the fact i am not getting a specific IPSEC configuration working properly.

It concerns a IPSEC vrf aware failover setup in combination with HSRP on Cisco IOS XE routers (ISR4331 - Cisco IOS XE Software, Version 16.06.04) to and i was getting some real unpredictable behavior during implementation like:

- Flapping tunnels between IPSEC router 1 and 2
- Sometimes tunnels would initiate from customer end and terminate OK, but others not (ended in P2 with error 32)
- Could not initiate tunnels myself even though i generated interestic traffic

Anyway, very much disappointment. Especially since I tested everything in advance with GNS3 and classic IOS. Configurations i had in mind worked all fine in virtual lab.

So i made a test setup with the new routers interfaced to each other. Outside interfaces in same IP test segment ( and i wanted to test only one IPSEC tunnel and advance my configuration from there on.

Unfortunately again it works very unpredictable. Sometimes i can initiate the tunnel from router 2 towards router 1, but P2 ends again in error 32. From router 1 i can initiate nothing for some reason. Route for VPN traffic was leaked into customer vrf on both routers.

Reloaded everything to start fresh and now nothing works anymore even though configuration has not changed. Also router 2 does not initiate anything more. Do i miss something very obvious and did i make a mistake? Or am i running into IOS bug or maybe even a hardware issue?

Unfortunately i cannot upgrade the IOS XE yet due to a issue with the customer smart account and smartnet contracts are not linked yet :-( else it would have been my first step. I can hopefully do this next week, but until now i am stuck.

I hope anyone is willing to look into my test setup configurations and check if i made a mistake or am i dealing with soft/hardware issues? I have attached the test configurations were valid to the post.

If you have questions or want some more information just let me know. Happy to provide.

Many thanks in advance!