Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
801
Views
0
Helpful
3
Replies

Site-to-Site VPN Goes down frequently

Go to solution
Srinivasan Nagarajan
Level 1
Level 1

‎04-21-2017 06:57 AM

Hello Team,

   Site-to-Site VPN is configured between 2 Cisco IOS routers which Goes down frequently. And we've to clear the crypto session to re-establish the session.

   Have pasted the config from my end and we don't have access to remote end. Please suggest 

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 14400
crypto isakmp key XXXXXX address XXXX.XXXX.XXXX.XXXX
!
!
crypto ipsec transform-set AIR esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map Primary  ipsec-isakmp
set peer XXXX.XXXX.XXXX.XXXX
set security-association lifetime kilobytes 100000
set security-association lifetime seconds 18000
set transform-set AIR
set pfs group2
match address Primary_Crypto
!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎04-21-2017 07:21 AM

I had an issue like this between 2 800 series before , I don't see an issue with your config

There is a command too which may help if its an isakmp issue

isakmp invalid-spi-recovery

fixed it by running an ip sla across the vpn between the 2 routers to keep interesting traffic on it and stop it falling off , we thought it may have been a bug but we were unable to upgrade the routers as they were critical , once the ip sla kicked in it never dropped again by itself

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎04-21-2017 07:21 AM

I had an issue like this between 2 800 series before , I don't see an issue with your config

There is a command too which may help if its an isakmp issue

isakmp invalid-spi-recovery

fixed it by running an ip sla across the vpn between the 2 routers to keep interesting traffic on it and stop it falling off , we thought it may have been a bug but we were unable to upgrade the routers as they were critical , once the ip sla kicked in it never dropped again by itself

0 Helpful

Go to solution
Srinivasan Nagarajan
Level 1
Level 1
In response to Mark Malone

‎04-21-2017 07:38 AM

Hi Mark,

  Thanks for your reply. Please suggest the below command should be enabled in both sides or if only implemented in my side that would be fine..

isakmp invalid-spi-recovery

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Srinivasan Nagarajan

‎04-21-2017 08:58 AM

HI Srinivasan

I would put it on both sides , it will only come into effect if the spi gets corrupted and it will recover itself

If neither of those work for you the next step would be to debug the crypto and capture the issue as its happening and see whats breaking it on either side

0 Helpful
Customers Also Viewed These Support Documents