vpn tunnels stops passing traffic

Unanswered Question

I currently have approx. 20 remote branches on cisco 2811 routers connected as spokes to a Cisco ASA 5510 at the head-end. These are simply stright ipsec connections with a shared-secret. All the routers are running 12.4(15)T IOS. I have a probelm with on of my sites that the router will not pass any traffic. This happens on a random basis. It may go days but then traffic will stop flowing from the branch to the head-end. Once I do a clear crypto isakmp traffic starts to flow again. None of my other routers are doing this. I've set the isakmp keepalives. What is interesting is that the tunnel is still active but the traffic does not pass until I clear the tunnel.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
andrewswanson Thu, 02/21/2008 - 08:44
User Badges:
  • Silver, 250 points or more

Does the router that fail have a dynamic crypto map rather than a static?

sayeedjk Sun, 02/24/2008 - 22:06
User Badges:

I have had same problem and I did exactlt what you are doing, i,e clearing the tunnel.


The problem is SA are not getting formed correctly. If you look at sh cry ip sa , you will find its one communication, packets are either getting encrtpted or decrypted but not both.


Check you crypto acl, match the make sure you are have same number of lines in the ACL.


I had seen these issue after upgrading the ASA to 8.03 code.


I guess what is happening one end is idling out the SA and trying to rekey and other end still has the old SA and that causes this issue.


If you find a solution to this let me know. I will post my solution if I find one. Next time I am going to call TAC and ask them before clearing the crypto SA , what is wrong with the config.



Thanks for the information. What is interesting is that all the routers have the same IOS and the same config. It only appears to be a problem on one or two of the routers. Most of the routers can be idle during non-business hours and have no problem passing traffic when needed. I'll have to wait until tomorrow morning to verify that the SA is being formed correctly

Actions

This Discussion