DMVPN problem with first phase

Unanswered Question
Nov 22nd, 2008

Hello

I was configured DMVPN

but isakmp periodicaly no state

i have problem with first phase

2.1.7.4 9.1.7.18 QM_IDLE 1026 0 ACTIVE

2.1.7.4 9.1.7.18 MM_NO_STATE 1024 0 ACTIVE (deleted)

13.11.4.4 9.41.7.12 QM_IDLE 1027 0 ACTIVE

13.11.4.4 9.41.7.12 MM_NO_STATE 1025 0 ACTIVE (deleted)

13.11.4.4 9.41.7.12 MM_NO_STATE 1023 0 ACTIVE (deleted)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
hadbou Fri, 11/28/2008 - 05:39

I think that you might be hitting the bug CSCsh50275.In a DMVPN setup with spoke having overlapping ISAKMP profiles and DPD enabled, IKE quick mode fails due to ISAKMP profile mismatch. After IKE SA expiry, the IKE SA rekey triggered by ISAKMP keepalives does not use any ISAKMP profile while initiating the SA. With overlapping ISAKMP profiles present, the IKE SA might end up attaching to the incorrect ISAKMP profile instead of the one configured on the corresponding tunnel interface and the one used by original IKE SA, subsequently causing the quick mode to fail due to profile mismatch. The only way to bring them out from that stage is by clearing Phase 1 SA.

Actions

This Discussion