Stuck Virtual-access interface with EZVPN DVTI config
I have a "persistent" virtual-access interface that is associated wrongfully with a /28 network that already has a virtual-access interface associated with it. What's more, it seems that the buggy virtual-access is a member of the vtemplate recycle queue, so it gets used and has configuration added which messes up routing, since the /28 at that point has 2 virtual-access interfaces with 2 tunnel destinations:
Re: Stuck Virtual-access interface with EZVPN DVTI config
An L2TP network server (LNS) that is configured for Path MTU Discovery (PMTUD) and that has discovered a lower IP MTU for a virtual-access interface does not return to the original IP MTU after the 10-minute PMTUD timer expires. You can see the IP MTU in the output of the show ip interface virtual-access command. This symptom is observed on a Cisco router that functions as an LNS and that is configured for PMTUD. Change the IP MTU can be changed on the affected virtual-access interface by entering the ip mtu command. The IP MTU affects only IP traffic. When the IP MTU is not increased to the original IP MTU on the virtual-access interface, IP traffic is fragmented, irrespective of whether or not this is necessary, and IP traffic that has the DF-bit is dropped at the LNS.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...