Crypto IPSEC tunnel issue

Unanswered Question
Jun 9th, 2008

We have one of the spoke sites which is having a VPN connection to the Hub Site. It has Crypto IPSEC tunnel configured. The problem is when the internet connection goes down from ISP side, and when it come up the IPSEC tunnel is not able to re-initiate automatically. We need to reboot router and modem (Provided by ISP). Then only it starts initiating session with remote peer.We have DSL connection provided by ISP. It goes down frequently and after coming UP the VPN connection is not getting recover. Is this issue related to any H/W model or IOS?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Mon, 06/09/2008 - 06:07

You could try to enable 'crypto isakmp keepalives' and see if they help.



chinmay.talati Mon, 06/09/2008 - 08:09

Thanks Farrukh for reply. We have already configured crypto isakmp keepalives 10. But it didnt solve our problem

chinmay.talati Mon, 06/09/2008 - 21:39

Thanks Farukh for your suggestion. I have enabled the Invalid spi recovery feature in on the crypto map but no luck. Any other suggestions please?

Farrukh Haroon Mon, 06/09/2008 - 21:43

Do you properly get the IP address on your dailer interface after the ISP connection comes back? Have you enabled SPI recovery and keepalives on both tunnel end-points?



chinmay.talati Mon, 06/09/2008 - 21:59

When internet gets diconnected the IPSec SA status gets change to MM_NO_STATES. It should change to QM_IDLE or active automatically when the internet recovered. But it is not getting changed. We need to reboot router and then only it gets connected I have configured keep alives on both the site. I will enable SPI recovery on the hub site also and check and let you know. Thanks for reply

Farrukh Haroon Mon, 06/09/2008 - 22:01

Also if possible try to upgrade the IOS to the latest version in that major release. What IOS are you running by the way? (On both sides)




This Discussion