IPSEC not always up

Unanswered Question
Sep 29th, 2010
User Badges:


I am testing the ipsec protocol for school on a CISCO 871. And the IPSEC isnt always up.. if i want to get it up i ping the router or from the router to the other subnet..

And if i want to test the tunnel when its up, i get always Checking peer connectivity Failed..

Why is that..

Ive tried with DPD( keep alive: 10 sec, retry: 2 sec, dpd type: on-demand )


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Shqiptari Wed, 09/29/2010 - 07:57
User Badges:

One problem has been resolved, that if i do test tunnel, it is running..

But after 3/4 minutes, the ipsec tunnel gets down and then i need again to ping to get it up..

Jitendriya Athavale Wed, 09/29/2010 - 08:16
User Badges:
  • Cisco Employee,

there are some issues with keep alives (dpd's)

why dont you try to capture packets once they leave the router, probably if you have a switch in between you can span that port

lets see once the tunnel is established we see some traffic on port 500 which are dpd's

also do you have any firewalls in between or on the router

praprama Wed, 09/29/2010 - 08:46
User Badges:
  • Cisco Employee,


Please enable "debug crypto isakmp" and "debug crypto ipsec" and paste the debugs when the tunnel goes down. Also, please try changing the DPDs to "periodic" instead of "on-demand". Let me know how it goes!1

Thanks and Regards,


Shqiptari Thu, 09/30/2010 - 02:32
User Badges:

Hi Guys,

Thanks for the reply.

1. No I disabled the firewall on the cisco 871, and the ipsec tunnel is to an isa server and not a gateway.

2. Yeah I tried to switch the dpd type, but with no result.

3. And I have enable those 2 debugs, but what are they for. I dont have experience with cisco


Shqiptari Thu, 09/30/2010 - 06:08
User Badges:

Oke ive run the debug.

show crypto isakmp       sa

dst             src             state          conn-id slot status
78.1**.**1.61   78.1**.**1.58   QM_IDLE           2002    0 ACTIVE


show crypto ipsec       sa

interface: FastEthernet4
    Crypto map tag: SDM_CMAP_1, local addr 78.1**.**1.58

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (
   remote ident (addr/mask/prot/port): (
   current_peer 78.1**.**1.58 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 984, #pkts encrypt: 984, #pkts digest: 984
    #pkts decaps: 883, #pkts decrypt: 883, #pkts verify: 883
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 2, #recv errors 0

     local crypto endpt.: 78.1**.**1.58, remote crypto endpt.: 78.1**.**1.58
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x0(0)

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Jitendriya Athavale Mon, 10/04/2010 - 03:12
User Badges:
  • Cisco Employee,

as previously requested please provide the debugs

debug crypto isa sa

debug crypto ipsec sa

if you do not see them coming up

give the command

term mon

but just make sure that you do not have any logging monitor else your screen will be flooded

Shqiptari Mon, 10/04/2010 - 03:56
User Badges:

001215: Oct  4 12:45:25.353 PCTime: ISAKMP (0:2001): received packet from 78.108                                                                                        .141.61 dport 500 sport 500 Global (I) QM_IDLE

001216: Oct  4 12:45:25.353 PCTime: ISAKMP: set new node -2068453838 to QM_IDLE

001217: Oct  4 12:45:25.353 PCTime: ISAKMP:(2001): processing HASH payload. mess                                                                                        age ID = -2068453838

001218: Oct  4 12:45:25.353 PCTime: ISAKMP:(2001): processing DELETE payload. me                                                                                        ssage ID = -2068453838

001219: Oct  4 12:45:25.353 PCTime: ISAKMP:(2001):peer does not do paranoid keep                                                                                        alives.

001220: Oct  4 12:45:25.353 PCTime: ISAKMP:(2001):deleting node -2068453838 erro                                                                                        r FALSE reason "Informational (in) state 1"

001221: Oct  4 12:45:25.353 PCTime: IPSEC(key_engine): got a queue event with 1                                                                                         KMI message(s)

001222: Oct  4 12:45:25.353 PCTime: IPSEC(key_engine_delete_sas): rec'd delete n                                                                                        otify from ISAKMP

001223: Oct  4 12:45:25.353 PCTime: IPSEC(key_engine_delete_sas): delete SA with                                                                                         spi 0x76CAA56C proto 50 for 78.1**.**1.61

001224: Oct  4 12:45:25.353 PCTime: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 78.1**.**1.58, sa_proto= 50,

    sa_spi= 0x7D1A00F4(2098856180),

    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 27,

  (identity) local= 78.1**.**1.58, remote= 78.1**.**1.61,

    local_proxy= (type=4),

    remote_proxy= (type=4)

001225: Oct  4 12:45:25.353 PCTime: IPSEC(update_current_outbound_sa): updated p                                                                                        eer 78.1**.**1.61 current outbound sa to SPI 0

001226: Oct  4 12:45:25.357 PCTime: IPSEC(delete_sa): deleting SA,

  (sa) sa_dest= 78.1**.**1.61, sa_proto= 50,

    sa_spi= 0x76CAA56C(1992992108),

    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 28,

  (identity) local= 78.1**.**1.58, remote= 78.1**.**1.61,

    local_proxy= (type=4),

    remote_proxy= (type=4)

001227: Oct  4 12:45:25.357 PCTime: IPSEC(rte_mgr): VPN Route Event rekey so dec                                                                                        rement refcount

001228: Oct  4 12:45:25.357 PCTime: IPSEC(rte_mgr): VPN Route Refcount 0 FastEth                                                                                        ernet4

001229: Oct  4 12:45:25.357 PCTime: IPSEC(rte_mgr): VPN Route Removed 192.168.5.                                                                                        0 via 78.1**.**1.61 in IP DEFAULT TABLE FastEthernet4

001230: Oct  4 12:46:15.355 PCTime: ISAKMP:(2001):purging node -2068453838


This Discussion