cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
765
Views
0
Helpful
5
Replies

VPN tunnel not coming back up after power cycle

h.cox
Level 1
Level 1

Cisco 2800, 12.4(23b) router has two VPN tunnels to other Cisco devices.

Authentication uses certificates from a PKI CA server.

Under normal circumstances all works fine, both crypto sessions up.

After a power cycle (having first saved configs) however, the crypto sessions are stuck in DOWN-NEGOTIATING.

The certificate on the router still looks valid.

The only way to get the sessions back up is to renew the certificate, which seems strange as the existing one appeared to be still valid.

Any ideas what could cause these symptoms?

Thanks

5 Replies 5

olpeleri
Cisco Employee
Cisco Employee

Check the RSA key prior and after reload. Is it still the same with the same name?

   sh crypto key mypubkey rsa

Check name and Key data. They should remain identical.

Hi, thanks for responding.

Yes, I've checked and key same before and after reload.

You would need to debug that further

debug crypto isakmp

debug crypto pki tran

debug crypto pki mess

debug crypto pki api

debug crypto pki call

In order to find out why.

Is the clock of the router correct?  Is it configured to use NTP?

Matt

We have noticed that for a very short time after reload, before NTP corrects the time, that the router reports the year as 1934. The router cert would be invalid during this short period of course, but it doesn't seem to recover even after the time is set correctly.

Presumably a battery backed clock problem - router has been scheduled for replacement. I'll update later to say if the issue is resolved.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: