806 to 3005 VPN tunnel negotiates after 806 reboot

d-garnett · ‎12-10-2002

i have a site with an 806 as the remote access router via VPN to 3005.Using Easy VPN Remote

On the Concentrator, I set the Session to Idle Out after 2 hours of inactivity. it will idle out and immediately dial back in at night as it's supposed to.

but sometimes it does not dial back in.

it is sporadic. it may be fine for 2 weeks and then go bad 2 or 3 nights straight.

the 806 is fine once you reboot it.

BUT if you reboot the 3005, the 806 will not dial back in and negotiate a new tunnel. I have to reboot the 806 for the tunnel to be established.

The 806 is running 12.2(8) EarlyDeployment

gfullage · ‎12-11-2002

If you reboot the 3005 the the 806 is still going to think the tunnel is up and will keep sending data over that tunnel. The 3005 will complain and say I'm receiving encrypted packets with a SPI that I don't have. You should be able to resolve this by clearing the tunnel on the 806 with "clear cry sa" and "clear cry isa", you shouldn't have to reboot the 806 (all this is really doing is clearing the tunnel anyway).

As for why the 806 sometimes doesn't call in, not sure. Is there any way you can get any crypto debugs when it's not working to see what it's doing? that might be the only way to tell. I presume you're using 12.2(8)YJ (EzVPN Phase II) code and you have the "connect auto" command in the 806 config, is that correct? If not, then it'll take traffic from behind the 806 to re-initiate the tunnel after it times out.