Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

EzVPN Client Problem. IPSec blackhole

Hi,

We have a 2811 router acting as an Easy VPN Server (12.4(4)T) and 831 routers acting as Easy VPN Clients (In auto, network-extension mode) running version 12.3(11)T7. All the routers have "isakmp invalid-spi-recovery" enabled.

However quite frequently the the Easy VPN Client router gets stuck in sort of a black hole, when the IPSec SA are deleted\gone, while the ISAKMP SA is still active.

On the Hub router side, both ISAKMP and IPSec SA are active.

In this scenario, the Client router doesn't try to re-negotiate the IPSec SA and therefore no traffic flows. Doing a "clear isakmp sa" fixes the issues as then Phase1\2 are re-negotiated.

I thought that "invalid-spi-recovery" command was specifically for this purpose ?

How can i fix this issue that the client router detect the clearing of IPSec SA and then should automatically re-negotiate ?

Regards,

Naman

4 REPLIES
Gold

Re: EzVPN Client Problem. IPSec blackhole

try applying the command "crypto isakmp keepalive".

New Member

Re: EzVPN Client Problem. IPSec blackhole

That command is already there. As i said that the ISAKMP SA stay alive, the problem is with the IPSec SA.

Since the ISAKMP SA stay alive, and connection is present between the peers, the keepalive messages doesn't detect any problem.

\\ Naman

Silver

Re: EzVPN Client Problem. IPSec blackhole

crypto ipsec security-association idle-time 60. Check if this solves the issue. It will tear the ISAKMP and IPSEC if the session is idle for 60 secs

New Member

Re: EzVPN Client Problem. IPSec blackhole

Will give this a try.

Thanks.

226
Views
0
Helpful
4
Replies