Crypto Tunnel not restablishing

pepsico_anz1 · ‎05-19-2009

Hey Guys,

I have a number of 877s connecting to a VPN 3000 concentrator via ADSL internet circuits.

When the connection drops out, they do not restablish the crypto session automatically, it can take a few hours or not at all, until i "Clear crypto sa".

Is there some setting I can change to make the tunnel restablish quickly?

Patrick Laidlaw · ‎05-20-2009

Hello,

What version of software are you running on the 877's.

I had a problem with a bunch of 871's ended up being a bug in the vpn session. I don't remember the bug number but the IOS version I upgraded to seems to have fixed the problem.

c870-advsecurityk9-mz.124-15.T8.bin

I think this bug is in version T6 or T5 and below. I've included the the bug info that I had but don't have the bug ID number.

EasyVPN tunnel stuck in IPSECActive after Dialer interface flap

Symptoms: An EasyVPN tunnel may get stuck in an IPSEC_Active state after

a

dialer interface flap. The ISAKMP SA can get stuck in Config_XAuth state

after the dialer interface flaps:

show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

10.10.10.10 10.10.10.11 CONF_XAUTH 2090 0 ACTIVE

pepsico_anz1 · ‎05-20-2009

I know the SW revision is a bit old, but this place is in the middle of nowhere, kinda hoping I wouldnt have to upgrade, guess im going to have to.

Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.3(14)YT, RELEASE SOFTWARE (fc1)

BBR-INET#show crypto isa sa

dst src state conn-id slot status

x.x.x.x y.y.y.y QM_IDLE 1020 0 ACTIVE

x.x.x.x y.y.y.y QM_IDLE 1018 0 ACTIVE

paolo bevilacqua · ‎05-20-2009

This looks much like an issue we know very well except that in our case, no flap is necessary to get it stuck.

We ended running 12.4(9)T as nothing else had worked.