IPsec Tunnel hanging from time to time on Cisco router

Unanswered Question
Dec 2nd, 2011

Hi all,

We have a customer with a DMVPN network. On some locations we have some issue where the IPsec/GRE tunnel to the headend is hanging from time to time (every two/trhree days) and no traffic can be pass through anymore. The solution is to restart the router and everything works again find.

We have configured crypto call admission limit ike in-negotiation-sa 10 as I have heard that too many IKE request can make the router to crash,

But have your guys any idea on what could cause the IPsec/GRE tunnel to hang?

Platform: Cisco 1812

Version: 12.4(15)T11

Feature: advipservices

Best regards,

Laurent

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Marcin Latosiewicz Fri, 12/02/2011 - 02:45

Laurent,

Call Admission Control is indeed good practice for big deployments. You can check:

show crypto call admission statistics

for hints about drops. Crash it should not, but it can get overwhelmed (DoS or DDoS attack).

Are the dropping spokes by any chance behind NAT and/or have dyamic public IP address?

Typically the problem is either related to crypto socket or NHRP mapping. Instead of reloading the router, try removing and re-adding the tunnel interface configuration on the affected spoke (this should cause crypto socket to be re-freshed).

Marcin

lap@axcess.dk Fri, 12/02/2011 - 03:12

Marcin,

Thanks for your reply!

sh crypto call admission statistics

---------------------------------------------------------------------

               Crypto Call Admission Control Statistics

---------------------------------------------------------------------

System Resource Limit:        0 Max IKE SAs:     0 Max in nego:    10

Total IKE SA Count:           4 active:          4 negotiating:     0

Incoming IKE Requests:     1093 accepted:      816 rejected:      277

Outgoing IKE Requests:      516 accepted:      466 rejected:       50

Rejected IKE Requests:      327 rsrc low:        0 SA limit:      327

IKE packets dropped at dispatch:        0

The spokes having this issue are not behind nat and have a static public IP.

If I do a show crypto isakmp sa there are 40 active tunnels on the router. Can it be a bug on this software version?

Regards,

Laurent

Marcin Latosiewicz Fri, 12/02/2011 - 04:58

Laurent,

You will keep isakmp/ipsec SAs for each spoke-to-spoke and spoke-to-hub tunnel... so 40 tunnels are not neccessarily bad. But let's see them.

M.

Marcin Latosiewicz Wed, 12/07/2011 - 05:06

Laurent,

let's start with

"show crypto isakmp sa"

and

"show ip nhrp det'

during the problem :-)

But I would say for problems of this nature, better open a TAC case.

Marcin

Actions

Login or Register to take actions

This Discussion

Posted December 2, 2011 at 1:48 AM
Stats:
Replies:5 Avg. Rating:
Views:622 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard