12-02-2011 01:48 AM - edited 02-21-2020 05:44 PM
Hi all,
We have a customer with a DMVPN network. On some locations we have some issue where the IPsec/GRE tunnel to the headend is hanging from time to time (every two/trhree days) and no traffic can be pass through anymore. The solution is to restart the router and everything works again find.
We have configured crypto call admission limit ike in-negotiation-sa 10 as I have heard that too many IKE request can make the router to crash,
But have your guys any idea on what could cause the IPsec/GRE tunnel to hang?
Platform: Cisco 1812
Version: 12.4(15)T11
Feature: advipservices
Best regards,
Laurent
12-02-2011 02:45 AM
Laurent,
Call Admission Control is indeed good practice for big deployments. You can check:
show crypto call admission statistics
for hints about drops. Crash it should not, but it can get overwhelmed (DoS or DDoS attack).
Are the dropping spokes by any chance behind NAT and/or have dyamic public IP address?
Typically the problem is either related to crypto socket or NHRP mapping. Instead of reloading the router, try removing and re-adding the tunnel interface configuration on the affected spoke (this should cause crypto socket to be re-freshed).
Marcin
12-02-2011 03:12 AM
Marcin,
Thanks for your reply!
sh crypto call admission statistics
---------------------------------------------------------------------
Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit: 0 Max IKE SAs: 0 Max in nego: 10
Total IKE SA Count: 4 active: 4 negotiating: 0
Incoming IKE Requests: 1093 accepted: 816 rejected: 277
Outgoing IKE Requests: 516 accepted: 466 rejected: 50
Rejected IKE Requests: 327 rsrc low: 0 SA limit: 327
IKE packets dropped at dispatch: 0
The spokes having this issue are not behind nat and have a static public IP.
If I do a show crypto isakmp sa there are 40 active tunnels on the router. Can it be a bug on this software version?
Regards,
Laurent
12-02-2011 04:58 AM
Laurent,
You will keep isakmp/ipsec SAs for each spoke-to-spoke and spoke-to-hub tunnel... so 40 tunnels are not neccessarily bad. But let's see them.
M.
12-07-2011 02:52 AM
Hi Marcin,
What do you want to see some output?
Regards,
Laurent
12-07-2011 05:06 AM
Laurent,
let's start with
"show crypto isakmp sa"
and
"show ip nhrp det'
during the problem :-)
But I would say for problems of this nature, better open a TAC case.
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide