Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

aggressive mode tunnel dying

I have a 2611 that connects to a Nortel Contivity 1600 via an aggressive mode tunnel. The 2611 is configured as the initiator and the Contivity is the responder. I have noticed that if there is ever a connectivity loss between the two boxes (not an interface going down but somewhere in the Internet), the session dies and will not come back. It's like the router does not even try to encrypt traffic any more. I do a "show crypto isakmp sa" and it does not show a SA for the session. When I do a "debug crypto isakmp, the router does not even try to establish the connection.

The only way to solve the problem is to remove the crypto map from the interface and re-apply it. Once that is done, the session comes back immediately after sending traffic to the tunnel.

I'm currently running 12.2(8)T4 on the router but I have seen this problem with a couple of other releases of code. Any thoughts, suggestions, etc?

2 REPLIES
Community Member

Re: aggressive mode tunnel dying

If the peer is a cisco equipment, there is no similar problem, is it ?

It might because of the isakmp keepalive will be working fine between Cisco box but non-cisco box does not understand the SA keepalive from Cisco box. One peer has cleared SA because he think remote peer has dead, but remote peer still use the old SA because he think another end is still alive.

To make sure it is the reason, I think you need turn on logging buffer 15000 and loggin buffer debugging. then collect the log when there is a link issue, what is the error message you got.

Best Regards,

Community Member

Re: aggressive mode tunnel dying

But if the Cisco router thinks the remote peer is still alive, wouldn't the SA show up in the "show crypto isakmp sa" command? I would think that once the SA is gone out of the router's table and new traffic was trying to be sent through the tunnel, the router would try to establish a new connection. I am not seeing that from the "debug crypto isakmp" debug.

If the remote peer is still trying to use the old SA then why would removing and reapplying the crypto map on the router immediately bring up a new session? I would think that once the original SA is gone out of the router, the router would try to establish the connection using a new SA regardless of whether the crypto map has been removed and reapplied or just left alone.

105
Views
0
Helpful
2
Replies
CreatePlease to create content