We have a 2811 router acting as an Easy VPN Server (12.4(4)T) and 831 routers acting as Easy VPN Clients (In auto, network-extension mode) running version 12.3(11)T7. All the routers have "isakmp invalid-spi-recovery" enabled.
However quite frequently the the Easy VPN Client router gets stuck in sort of a black hole, when the IPSec SA are deleted\gone, while the ISAKMP SA is still active.
On the Hub router side, both ISAKMP and IPSec SA are active.
In this scenario, the Client router doesn't try to re-negotiate the IPSec SA and therefore no traffic flows. Doing a "clear isakmp sa" fixes the issues as then Phase1\2 are re-negotiated.
I thought that "invalid-spi-recovery" command was specifically for this purpose ?
How can i fix this issue that the client router detect the clearing of IPSec SA and then should automatically re-negotiate ?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...