cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
137
Views
2
Helpful
5
Replies

lost connection from DMVPN Peers

hi,

i would like to express my issue and if you are able to advice me . i have a company router IR1101 with internet connection provided with private ipv4  address in the WAN interface. my company uses DMVPN in order to connect to company infrastructure. The issue is tha the connection of DMVPN is lost every 4 hours for 20-30 minutes. I checked the logs and i saw that there is authentication failure in the exchange message of the ikev2 . it is sometrhing that i cannot to explain since the site and router worked prefectly before this issue appeared. 

Do you have any suggestions?

5 Replies 5

Run ip sla between spoke and hub make tunnel always UP.

It can ikev2 sa issue 

MHM

balaji.bandi
Hall of Fame
Hall of Fame

what kind of logs can you post the logs here to look ?

is this Logs from head end or branch router, can you post both the logs ?

is this only 1 Router losing connection every 4 hours ? or all other branch routers ?

what is the head end router, what IOS code running both the sides ?

Guide lines how to troubleshoot :

https://www.cisco.com/c/en/us/support/docs/security/dynamic-multipoint-vpn-dmvpn/111976-dmvpn-troubleshoot-00.html

https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/116858-problem-replay-00.html

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

the logs are from debugging the crypto ikev2. Yes only that one router has the issue. it is the spoke router. only logs on this spoke. about the others i dont have access.

atthaches is the log file. the IOS is the following: ir1101-universalk9.17.06.01a.SPA.bin
thanks!

Hello @georgesofroniadis ,

at some point in the debug we see may requests no one of them get an answer

so at some point we see:

>> Oct 1 2024 13:33:40.872 UTC: IKEv2:(SESSION ID = 2,SA ID = 9):Sending Packet [To 193.x.y.207:4500/From 10.0.0.10:4500/VRF i0:f0]
Initiator SPI : C61FA05DBCD4E8BD - Responder SPI : 574998F98E3084B6 Message id: 1
IKEv2 IKE_AUTH Exchange REQUEST
Payload contents:

there are many attempts later we see a line that it is important :

Oct 1 2024 13:33:12.065 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Attrib type: split-dns, length: 0
Oct 1 2024 13:33:12.065 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Attrib type: banner, length: 0
--More--  Oct 1 2024 13:33:12.065 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Attrib type: config-url, length: 0
Oct 1 2024 13:33:12.065 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Attrib type: backup-gateway, length: 0
Oct 1 2024 13:33:12.065 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Attrib type: def-domain, length: 0
Oct 1 2024 13:33:12.065 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Have config mode data to send
Oct 1 2024 13:33:12.066 UTC: IKEv2:(SESSION ID = 1,SA ID = 8):Check for EAP exchange

SKF

finally:

Oct 1 2024 13:33:44.047 UTC: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Maximum number of retransmissions reached
Oct 1 2024 13:33:44.047 UTC: IKEv2:(SESSION ID = 1,SA ID = 1):Auth exchange failed
Oct 1 2024 13:33:44.047 UTC: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):: Auth exchange failed
Oct 1 2024 13:33:44.048 UTC: IKEv2:(SESSION ID = 1,SA ID = 1):Abort exchange
Oct 1 2024 13:33:44.051 UTC: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA
Oct 1 2024 13:33:44.051 UTC: IKEv2:(SA ID = 1):[IKEv2 -> PKI] Close PKI Session
Oct 1 2024 13:33:44.052 UTC: IKEv2:(SA ID = 1):[PKI -> IKEv2] Closing of PKI Session PASSED
Oct 1 2024 13:33:46.616 UTC: IKEv2:(SESSION ID = 2,SA ID = 9):Retransmitting packet

note : if one side thinks the other part is a backup gateway and the primary is up it will stop to negotiate with your device.

at least I see this on Cisco Firepower 1140 with release 7.2.5.1 no IKEv2 exchange with backup peer occurs when primary is up if to make a test configure on FW side a wrong primary address so that the primary IKEv2 fails the remote does not accepts negotiation on its secondary outside because its own primary is still alive.

Hope to help

Giuseppe

 

Thanks for your answer and support! much appreciated! 

 

Review Cisco Networking for a $25 gift card