S2S VPN disconnects every hour

HHeydarov · ‎02-04-2019

Hi Experts.

I need your advices.

Before writing here, I've investigated hours on this issue but no success.

Site-to-Site VPN is configured Hub and Spokes(not DMVPN). Except 1 spoke, all of others works properly through VPN tunnel.

Exception is that every hour, only 1 connection disconnects and reconnects again. Timeout continue approximately 10 sec and I think this is DPD time which I configured.

I have checked ACLs of both sides, routes, pahse1-phase 2 lifetimes. But still experience this problem.

There is attachment of debugging.

I would be grateful if you give a hand.

Thank you in advance.

Mohammed al Baqari · ‎02-04-2019

Do you have DPD and keepalives enabled on both sides.? Also, when you say that ACLs are fine, are they mirrored. ?

HHeydarov · ‎02-04-2019

Yes, DPD is enabled and ACLs are mirrored.Weird thing is that it occurs only between hub and one branch router. There are other routers which have same ios version, same model and nearly same traffic is passing through.

HHeydarov · ‎02-04-2019

HHeydarov · ‎02-04-2019

Any Idea?

Rob Ingram · ‎02-04-2019

What are the configured lifetimes? Please provide the configuration of the hub and the troublesome spoke.
Please provide the output of "show crypto ipsec sa" and "show crypto isakmp sa"
What IOS firmware version are you running?

HHeydarov · ‎02-04-2019

Show crypto isakmp sa
HUB
Y.Y.Y.Y      X.X.X.X     QM_IDLE          65942 ACTIVE
Spoke
Y.Y.Y.Y      X.X.X.X     QM_IDLE           1041 ACTIVE

Show run
HUB
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key ********* address X.X.X.X
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set VPNtransform-set esp-aes 256 esp-md5-hmac
mode tunnel
!
crypto map Spokes 10 ipsec-isakmp
set peer X.X.X.X
set security-association lifetime seconds 3500
set transform-set VPNtransform-set
set pfs group2
match address ACL_Branches
reverse-route
qos pre-classify
!
crypto ipsec transform-set VPNtransform-set esp-aes 256 esp-md5-hmac
mode tunnel

Spoke

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key ********** address Y.Y.Y.Y
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set VPNtransform-set esp-aes 256 esp-md5-hmac
mode tunnel
!
crypto map Spokes 10 ipsec-isakmp
set peer Y.Y.Y.Y
set security-association lifetime seconds 3500
set transform-set VPNtransform-set
set pfs group2
match address ACL_Branches
qos pre-classify

Interesting thing is that Spoke has another VPN connectivity with another router and it does not behave like this.
ISO version:15.4(3)M5
Lifetime for phase1 is 3600 and 3500 for phase2.
ACLs are definitely mirrored.

HHeydarov · ‎02-04-2019

HHeydarov · ‎02-05-2019

This is an error during break

Hub

Feb 5 11:02:38: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=Y.Y.Y.Y, prot=50, spi=0x91ECFD3B(2448227643), srcaddr=X.X.X.X, input interface=Port-channel1.450

Spoke

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=50, spi=0xC4A13E86(3298901638), srcaddr=Y.Y.Y.Y, input interface=GigabitEthernet0/0

It stops working for nearly 10 sec and revives again.