02-04-2019 12:35 AM - edited 02-04-2019 12:36 AM
Hi Experts.
I need your advices.
Before writing here, I've investigated hours on this issue but no success.
Site-to-Site VPN is configured Hub and Spokes(not DMVPN). Except 1 spoke, all of others works properly through VPN tunnel.
Exception is that every hour, only 1 connection disconnects and reconnects again. Timeout continue approximately 10 sec and I think this is DPD time which I configured.
I have checked ACLs of both sides, routes, pahse1-phase 2 lifetimes. But still experience this problem.
There is attachment of debugging.
I would be grateful if you give a hand.
Thank you in advance.
02-04-2019 01:48 AM
02-04-2019 02:04 AM
Yes, DPD is enabled and ACLs are mirrored.Weird thing is that it occurs only between hub and one branch router. There are other routers which have same ios version, same model and nearly same traffic is passing through.
02-04-2019 02:05 AM
02-04-2019 03:37 AM
Any Idea?
02-04-2019 04:36 AM
02-04-2019 09:21 PM - edited 02-04-2019 10:53 PM
Show crypto isakmp sa
HUB
Y.Y.Y.Y X.X.X.X QM_IDLE 65942 ACTIVE
Spoke
Y.Y.Y.Y X.X.X.X QM_IDLE 1041 ACTIVE
Show run
HUB
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp key ********* address X.X.X.X
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set VPNtransform-set esp-aes 256 esp-md5-hmac
mode tunnel
!
crypto map Spokes 10 ipsec-isakmp
set peer X.X.X.X
set security-association lifetime seconds 3500
set transform-set VPNtransform-set
set pfs group2
match address ACL_Branches
reverse-route
qos pre-classify
!
crypto ipsec transform-set VPNtransform-set esp-aes 256 esp-md5-hmac
mode tunnel
Spoke
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
lifetime 3600
crypto isakmp key ********** address Y.Y.Y.Y
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 periodic
!
crypto ipsec transform-set VPNtransform-set esp-aes 256 esp-md5-hmac
mode tunnel
!
crypto map Spokes 10 ipsec-isakmp
set peer Y.Y.Y.Y
set security-association lifetime seconds 3500
set transform-set VPNtransform-set
set pfs group2
match address ACL_Branches
qos pre-classify
Interesting thing is that Spoke has another VPN connectivity with another router and it does not behave like this.
ISO version:15.4(3)M5
Lifetime for phase1 is 3600 and 3500 for phase2.
ACLs are definitely mirrored.
02-04-2019 09:50 PM - edited 02-06-2019 05:41 AM
02-05-2019 12:26 AM - edited 02-06-2019 05:42 AM
This is an error during break
Hub
Feb 5 11:02:38: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=Y.Y.Y.Y, prot=50, spi=0x91ECFD3B(2448227643), srcaddr=X.X.X.X, input interface=Port-channel1.450
Spoke
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=X.X.X.X, prot=50, spi=0xC4A13E86(3298901638), srcaddr=Y.Y.Y.Y, input interface=GigabitEthernet0/0
It stops working for nearly 10 sec and revives again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide