Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
680
Views
2
Helpful
5
Replies

VPN session hanging

Go to solution
Polestar
Level 1
Level 1

‎02-16-2024 06:47 AM

Hi all

We have a VPN Hub running  on ASr1001-x that terminates several remote IPsec tunnels.

A few of these tunnels hang while the session is still in UP_active state and teh only way around to get bidirectional flow is to remove and re-add the Crypto Map attached to the main interface.

  

Before the "restart" on hanging tunnel

Interface: TenGigabitEthernet0/0/1

Profile: LTB-IKEV2-PROFILE

Session status: UP-ACTIVE

Peer: 87.129.28.67 port 500 fvrf: (none) ivrf: semi-trust-corp

      Phase1_id: 87.129.28.67

      Desc: (none)

  Session ID: 8794832

  IKEv2 SA: local 185.233.71.132/500 remote 87.129.28.67/500 Active

          Capabilities:D connid:3 lifetime:21:52:23

  IPSEC FLOW: permit ip 10.228.0.0/255.255.0.0 10.238.68.0/255.255.252.0

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 5451 drop 0 life (KB/Sec) KB Vol Rekey Disabled/5 hours, 52 mins

        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/5 hours, 52 mins

  IPSEC FLOW: permit ip 10.112.129.0/255.255.255.0 10.238.68.0/255.255.252.0

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 104 drop 0 life (KB/Sec) KB Vol Rekey Disabled/5 hours, 52 mins

        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) KB Vol Rekey Disabled/5 hours, 52 mins

After Restart:

Interface: TenGigabitEthernet0/0/1

Profile: LTB-IKEV2-PROFILE

Uptime: 00:23:45

Session status: UP-ACTIVE

Peer: 87.129.28.67 port 500 fvrf: (none) ivrf: semi-trust-corp

      Phase1_id: 87.129.28.67

      Desc: (none)

  Session ID: 8804011

  IKEv2 SA: local 185.233.71.132/500 remote 87.129.28.67/500 Active

          Capabilities:D connid:6 lifetime:23:36:15

  IPSEC FLOW: permit ip 10.228.0.0/255.255.0.0 10.238.68.0/255.255.252.0

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 584 drop 0 life (KB/Sec) KB Vol Rekey Disabled/7 hours, 37 mins

        Outbound: #pkts enc'ed 563 drop 0 life (KB/Sec) KB Vol Rekey Disabled/7 hours, 37 mins

  IPSEC FLOW: permit ip 10.112.129.0/255.255.255.0 10.238.68.0/255.255.252.0

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 18 drop 0 life (KB/Sec) KB Vol Rekey Disabled/7 hours, 37 mins

        Outbound: #pkts enc'ed 18 drop 0 life (KB/Sec) KB Vol Rekey Disabled/7 hours, 37 mins

  IPSEC FLOW: permit ip 10.195.0.0/255.255.0.0 10.238.68.0/255.255.252.0

        Active SAs: 2, origin: crypto map

        Inbound:  #pkts dec'ed 3485 drop 0 life (KB/Sec) KB Vol Rekey Disabled/7 hours, 36 mins

        Outbound: #pkts enc'ed 3604 drop 0 life (KB/Sec) KB Vol Rekey Disabled/7 hours, 36 mins

 

#sh install active
[ R0 ] Active Package(s) Information:
State (St): I - Inactive, U - Activated & Uncommitted,
C - Activated & Committed, D - Deactivated & Uncommitted
--------------------------------------------------------------------------------
Type St Filename/Version
--------------------------------------------------------------------------------
IMG C 17.06.05.0.5797

Uptime: 02:07:37

sh plat
Chassis type: ASR1001-X

Slot Type State Insert time (ago)
--------- ------------------- --------------------- -----------------
0 ASR1001-X ok 12w0d
0/0 BUILT-IN-2T+6X1GE ok 12w0d
R0 ASR1001-X ok, active 12w0d
F0 ASR1001-X ok, active 12w0d
P0 ASR1001-X-PWR-AC ok 12w0d
P1 ASR1001-X-PWR-AC ok 12w0d
P2 ASR1001-X-FANTRAY ok 12w0d

Slot CPLD Version Firmware Version
--------- ------------------- ---------------------------------------
0 14041015 16.3(2r)
R0 14041015 16.3(2r)
F0 14041015 16.3(2r)
crypto ikev2 profile LTB-IKEV2-PROFILE

 match identity remote address 87.129.28.67 255.255.255.255

 authentication remote pre-share key  

 authentication local pre-share key  

 dpd 10 2 on-demand

 ivrf semi-trust-corp

Any ideas what this could be causing the tunnels to hang  this 

Best Regards, 

 

 

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Polestar
Level 1
Level 1
In response to MHM Cisco World

‎02-22-2024 04:58 AM - edited ‎02-22-2024 07:42 AM

Hi MHM

Thanks for your reply. Yes, the keys are different and we have 20+ different peers terminating on this hub.
I did find 1 problem  where the Encryption domains were overlapping in the ACLs ...most likely due to a copy and past error... hard to say .. so far its running clean / as it should be... but I would give it a few more days before I am  totally satisfied that its working as should.
regards.

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎02-16-2024 08:31 AM

You use hub and spoke flexvpn or you use dmvpn ?

MHM

0 Helpful

Go to solution
Polestar
Level 1
Level 1
In response to MHM Cisco World

‎02-16-2024 08:51 AM

Hi 

 FlexVPN ( IKEv2 ) in a hub and spoke setup

Rgds

 

Go to solution
MHM Cisco World
VIP
VIP
In response to Polestar

‎02-16-2024 09:21 AM

If that so why you dont specify remote identity under ikev2 profile? 

Can i see config of hub 

MHM

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎02-16-2024 03:14 PM

Can you use different key for each spoke' for hub keep key same only spoje try use different key.

MHM

0 Helpful

Go to solution
Polestar
Level 1
Level 1
In response to MHM Cisco World

‎02-22-2024 04:58 AM - edited ‎02-22-2024 07:42 AM

Hi MHM

Thanks for your reply. Yes, the keys are different and we have 20+ different peers terminating on this hub.
I did find 1 problem  where the Encryption domains were overlapping in the ACLs ...most likely due to a copy and past error... hard to say .. so far its running clean / as it should be... but I would give it a few more days before I am  totally satisfied that its working as should.
regards.

Customers Also Viewed These Support Documents