Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

clear ipsec sa peer, I keep losing VPNs

I have two 515's that all of a sudden, today, started to have their lan to lan vpn's go up and down.

If I issue from either 515 the "clear ipsec sa peer (ipaddress)" command, it brings the tunnel back up...but this keeps happening every 5 minutes. My syslogs don't show anything strange either.

I am using preshared keys between peers to establish VPNs.

This has been working fine for almost 18 months...no problems until today.

Both firewalls are version 6.2(1) software.

Any thoughts?

2 REPLIES
New Member

Re: clear ipsec sa peer, I keep losing VPNs

If nothing has been changed (Config/ upgrade or anything) in the recent past and the setup was stable for 18 months, i would only suspect some hardware failure. Isolate the problem by replacing the hardware.

New Member

Re: clear ipsec sa peer, I keep losing VPNs

After calling TAC, they determined that I was just fortunate that it didn't happen more often or earlier. It wasn't hardware at all, but rather I had the same access-list # for 3 different VPN'd networks. And, I had the same crypto map # for those same 3 different VPN end points.

For example: this is what I had (an example only)

access-list 100 permit ip 10.0.0.0 255.0.0.0 20.0.0.0 255.0.0.0

access-list 100 permit ip 10.0.0.0 255.0.0.0 30.0.0.0 255.0.0.0

access-list 100 permit ip 10.0.0.0 255.0.0.0 40.0.0.0 255.0.0.0

-and-

crypto map mapname 10 ipsec-isakmp

crypto map mapname 10 match address 100

crypto map mapname 10 set peer

TAC said to have a different access-list for each crypto map match address line and a different crypto map match address line for each remote endpoint. So I kept the existing access-list 100's for the nat "zero" statement, but added 110, 120 & 130 for each different crypto map 20, 30, 40 endpoint statements.

-Chris

127
Views
0
Helpful
2
Replies