cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2498
Views
4
Helpful
4
Replies

Random L2L IPSEC VPN disconnect

connect2world
Level 1
Level 1

Hi Folks,

I have a strange problem here, hope some one can shed some light to resolve it.

Network Setup

===========

2 Site to Site VPN tunnels has been established, it is a hub and spoke topology. The hub is ASA5520 and the 2 spoke are a 1841 and 1801

router. The tunnel is able to pass traffic, it's a full tunnel VPN.The tunnel randomly disconnect for no reason. When I check the logs I can see some

errors :

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=x.x.x.x, prot=50, spi=0x5F822579(1602364793), srcaddr=y.y.y.y

%CRYPTO-4-IKMP_NO_SA: IKE message from y.y.y.y has no SA and is not an initialization offer

The actual address have been replace by x.x.x.x and y.y.y.y. I frequently have to peform clear crypto isakmp on the spoke routers to revive the VPN tunnels. Is there a way the tunnel can be re-establish again without manual intervention?This keep happening on a random basis and I have living with it for years. I have looked at cisco website troubleshooting tips and but no luck in finding out how to resolve it.Hope someone can point me in the right direction.

Below is my config on one of the spoke router:

==================================

Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(24)T3, RELEASE SOFTWARE (fc2)

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key @@@@@@ address y.y.y.y
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set tset1 esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map ipsecvpn 10 ipsec-isakmp

set peer y.y.y.y
set transform-set tset1
match address vpn@spoke
!
archive
log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
ip address x.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ipsecvpn
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface Vlan1
ip address 10.227.5.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
no ip mroute-cache
!

!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 z.z.z.z
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat inside source route-map VPN interface FastEthernet0 overload
!
ip access-list extended nonat
deny   udp host x.x.x.x eq isakmp host y.y.y.y eq isakmp
deny   udp host x.x.x.x eq non500-isakmp host y.y.y.y eq non500-isakmp
deny   ahp host x.x.x.x host y.y.y.y
deny   esp host x.x.x.x host y.y.y.y
deny   pcp host x.x.x.x host y.y.y.y
deny   ip 10.227.5.0 0.0.0.255 10.0.0.0 0.255.255.255

deny   ip 10.227.5.0 0.0.0.255 any

ip access-list extended vpn@spoke
permit ip 10.227.5.0 0.0.0.255 10.32.0.0 0.31.255.255
permit ip 10.227.5.0 0.0.0.255 10.224.0.0 0.31.255.255
permit ip 10.227.5.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.227.5.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit!
!
route-map VPN permit 10
match ip address nonat

4 Replies 4

Hi! Thanks for posting on CSC.

If possible enable the following command on one Router:

crypto isakmp invalid-spi-recovery

Also, we need to gather the logs from the ASA in order to understand what happens when the tunnel fails.

I look forward to hearing back from you.

Hi Javier,

If you notice my config , that statement has already been added.

Hi,

Please follow the Mohammad's piece of advise, we really need to check those debugs.

BTW, I am sorry, I did not see the command when I first checked it.

Thanks.

Mohammad Alhyari
Cisco Employee
Cisco Employee

Hi ,

the mesage that you are seeing indicates that the other side is still using IPSEC SA that has been deleted by this side , can you enable the following debugs at the time of the issue :

debug cry isa

debug crypto ipsec

if you have more than one VPN peer you can limit the debugs to only one peer by using :

debug crypto condition peer ipv4 [ip address of the peer having the issue]

also it will be good to share the ASA side configuration .

Thanks .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: