Hello Teymur,

Are you saying that the tunnel goes down as expected after no traffic has been sent for a while but then you generate some traffic again to start the tunnel but it nevers go back up.

If the answer is yes, this is indeed odd,

What is the version you are running

Are you sure the traffic you are sending is reaching the router,

What happens if you do a show crypto isakmp sa while sending the traffic again?

Cisco IOS Software, C3900e Software (C3900e-UNIVERSALK9-M), Version 15.3(1)T, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2012 by Cisco Systems, Inc.

Compiled Mon 26-Nov-12 18:34 by prod_rel_team

ROM: System Bootstrap, Version 15.1(1r)T5, RELEASE SOFTWARE (fc1)

the tunnels are normal working ok. for example after a 10 hours i do show crypto isakmp sa and show one tunnel state MM_no_state, tunnel is down. the other tunnel is working normal.

i do ping to peer site local subnet. no ping going and the tunnel is not up. then i delete crypto map to outside interface,

delete working crypto map, the down tunnel crypto map  is stiil , then i apply crypto map to outside interface again and after that the down tunnel up and then i add the tunnel which i delete the crypto map before. after that all of are working normaly.

i also think this is ios issue. is this configuration problem or ios??

Hello Teymur,

Does  the ping work  the first time the VPN is being built?

yes. when i created the first time tunnels are up and ping work. the problem is when the tunnel down(it is not necesserry which tunnel down) it is not up automatically.

Hello Teymur,

Do you see the crypto ACL incrementing while doing the ping?

It looks like a bug based on the behavior,lets make sure we are receiving the traffic as expected

Regards,

hi. now i check the tunnels. the one of the tunnel is down(MM_NO_STATE)  i do the same thing.

delete the crypto map from outside interface then delete working tunnel crypto map and then apply crypto map to outside interface after that down tunnel automatically up and then i write the second tunnel crypto map. at last tunnels are working.

i do not check that because this is production network. i monitoring a lot of time the tunnels when i see the tunnel down i do above things.

what do you think? why tunnel is not up automatically? normal situation tunnel must be up.is this ios problem?

which ios you recomendate?

Hello Teymur,

Based on what you said, on how this look it does sound like an IOS problem....

Does not seem to be a configuration issue as once you removed it and add it back works with no problem at all..

Have you reboot the unit so far? I would try that ( Sounds like something silly but maybe one of the processes are stuck and a reboot will alleviate that)

Regarding the version, not sure as I do not have a bug ID for this,

i do reboot but it can not help me . but peer site is not reboot the device.

is it possibly the other site is juniper device.

now the tunnel down. i ping it and check the access-list(the inteesting traffic acl) the count is increase but the tunnel down.

)MM-NO_state

i do not understand

MM_NO_state and CONF_XAUTH show me.

after few minute go the CONF_XAUTH convert to MM_NO_state

82.x.x.178   109.x.x.126 QM_IDLE          13423 ACTIVE   tunnel 1

109.x.x.126 37.x.x.127  QM_IDLE          13452 ACTIVE    remote vpn

193.x.x10  109.x.x.126 MM_NO_STATE      13455 ACTIVE (deleted)    tunnel 2

193.x.x.10  109.x.x.126 MM_NO_STATE      13454 ACTIVE (deleted)

I would take a debug crypto isakmp sa

Regards