05-19-2009 08:26 PM
Hey Guys,
I have a number of 877s connecting to a VPN 3000 concentrator via ADSL internet circuits.
When the connection drops out, they do not restablish the crypto session automatically, it can take a few hours or not at all, until i "Clear crypto sa".
Is there some setting I can change to make the tunnel restablish quickly?
05-20-2009 12:05 PM
Hello,
What version of software are you running on the 877's.
I had a problem with a bunch of 871's ended up being a bug in the vpn session. I don't remember the bug number but the IOS version I upgraded to seems to have fixed the problem.
c870-advsecurityk9-mz.124-15.T8.bin
I think this bug is in version T6 or T5 and below. I've included the the bug info that I had but don't have the bug ID number.
EasyVPN tunnel stuck in IPSECActive after Dialer interface flap
Symptoms: An EasyVPN tunnel may get stuck in an IPSEC_Active state after
a
dialer interface flap. The ISAKMP SA can get stuck in Config_XAuth state
after the dialer interface flaps:
show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
10.10.10.10 10.10.10.11 CONF_XAUTH 2090 0 ACTIVE
05-20-2009 03:23 PM
I know the SW revision is a bit old, but this place is in the middle of nowhere, kinda hoping I wouldnt have to upgrade, guess im going to have to.
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version 12.3(14)YT, RELEASE SOFTWARE (fc1)
BBR-INET#show crypto isa sa
dst src state conn-id slot status
x.x.x.x y.y.y.y QM_IDLE 1020 0 ACTIVE
x.x.x.x y.y.y.y QM_IDLE 1018 0 ACTIVE
05-20-2009 07:24 PM
This looks much like an issue we know very well except that in our case, no flap is necessary to get it stuck.
We ended running 12.4(9)T as nothing else had worked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide