cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1543
Views
0
Helpful
5
Replies

IPsec Tunnel hanging from time to time on Cisco router

lap
Level 2
Level 2

Hi all,

We have a customer with a DMVPN network. On some locations we have some issue where the IPsec/GRE tunnel to the headend is hanging from time to time (every two/trhree days) and no traffic can be pass through anymore. The solution is to restart the router and everything works again find.

We have configured crypto call admission limit ike in-negotiation-sa 10 as I have heard that too many IKE request can make the router to crash,

But have your guys any idea on what could cause the IPsec/GRE tunnel to hang?

Platform: Cisco 1812

Version: 12.4(15)T11

Feature: advipservices

Best regards,

Laurent

5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Laurent,

Call Admission Control is indeed good practice for big deployments. You can check:

show crypto call admission statistics

for hints about drops. Crash it should not, but it can get overwhelmed (DoS or DDoS attack).

Are the dropping spokes by any chance behind NAT and/or have dyamic public IP address?

Typically the problem is either related to crypto socket or NHRP mapping. Instead of reloading the router, try removing and re-adding the tunnel interface configuration on the affected spoke (this should cause crypto socket to be re-freshed).

Marcin

Marcin,

Thanks for your reply!

sh crypto call admission statistics

---------------------------------------------------------------------

               Crypto Call Admission Control Statistics

---------------------------------------------------------------------

System Resource Limit:        0 Max IKE SAs:     0 Max in nego:    10

Total IKE SA Count:           4 active:          4 negotiating:     0

Incoming IKE Requests:     1093 accepted:      816 rejected:      277

Outgoing IKE Requests:      516 accepted:      466 rejected:       50

Rejected IKE Requests:      327 rsrc low:        0 SA limit:      327

IKE packets dropped at dispatch:        0

The spokes having this issue are not behind nat and have a static public IP.

If I do a show crypto isakmp sa there are 40 active tunnels on the router. Can it be a bug on this software version?

Regards,

Laurent

Laurent,

You will keep isakmp/ipsec SAs for each spoke-to-spoke and spoke-to-hub tunnel... so 40 tunnels are not neccessarily bad. But let's see them.

M.

Hi Marcin,

What do you want to see some output?

Regards,

Laurent

Laurent,

let's start with

"show crypto isakmp sa"

and

"show ip nhrp det'

during the problem :-)

But I would say for problems of this nature, better open a TAC case.

Marcin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: