Hi We have a problem with an IPSec tunnel between our Cisco 1812 and a partners Cisco router. 3 times in the last 2 months the tunnel has stopped responding, in that we can no longer access the server at the partners site or ping it. When we check our router it states the VPN connection is up and tests ok. We have found that cycling the power on our router fixes this issue. Unfortunatly the link is business critical and have little time to diagnose the problem. I can't see anything in the cisco logs relating to the VPN. Was wondering if this could be a problem at our partners end and any advise on how to diagnose this problem next time it happens would be greatly appreciated.
What we are expericing could be related to the lifetime not matching. If the tunnel on our router shows up but it does not work then there is a possibility that it is not up on their end. So this is how we should proceed in this :
1. When the problem occurs, you need to first check the tunnel status by issuing the command :
sh cry isak sa
What we are looking for is the source ip, dest ip, and status.
2. If it shows up on both the routers then we need to look into the ipsec SAs:
sh cry ipsec sa peer
We are looking for the status of the tunnel. The specific informatio to look for is the pkts encaps and decaps, inbound ESP sa and outbound ESP sa. Please be onformed that it has to be done on both the routers.
3. Another thing to check is when this problem occurs, do we see the pkts encaps increasing on our router.
4. If we see the tunnel up on our end but down on their end, does the problem go away if we just clear the SAs instead of rebooting the router.
5. Another thing to look for is the IPSEC SA lifetime in the show run. It should match.
I think I have found the problem. The Security Lifetime at our end is set to 1 hour and 4GB, but the other end was just 1 Hr. My assumption is after about 30 days the 4GB limit would be reached resetting our connection. I plan to remove the 4GB lifetime.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :