Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN site-to-site router upgrade problem


I have several site-to-site IPSEC VPN tunnels(using pre-shared keys) built from several 3640's(using FastEthernet) running IOS 12.2-17 to a VPN 7140 agragate(Also via FastEthernet) running IOS 12.2-15.T8. All has worked well for years. I am now upgrading all remote VPN endpoints (3640's) to 1841(FastEthernet) running IOS Advance Security 12.4-10a(with F/W and IPS turned off). One site is switched to an 851(FastEthernet) running IOS Advanced Security 12.3-8.YI2(Also with F/W and IPS turned off). All VPN endpoints are still using the exact same pre-shared keys to the VPN 7140 agragate. The tunnels work well initially allowing all IP traffic to a specific subnet and a small range of UDP packets to another subnet. After 10 - 30 minutes of inactivity of the application using the UDP packets I start to see the following messages on all endpoint 1841 and 851 routers:

IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820

When this message appears the small UDP packet range stops traveling through the tunnel. However all IP packets to the other subnet still works fine. The problem is cleared if I run a "clear cry sa" on all endpoint routers as well as on the 7140 VPN agragate until the UDP packet inactivity at the remote endpoints begins again. I've tried upgrading the IOS on the 7140 VPN agragate to IOS 12.3-12e to no avail. I tried switching the IOS on the remote 1841 routers to the IOS Advanced IP Services 12.4-10a(No F/W or IPS features built in) thinking that there may be a default F/W or IPS setting turned on with the Advanced Security 12.4-10a even though both features are turned on by default and the problem still persists.

Is there some sort of incompaibility issue between the newer Cisco routers(1800 series and 800 series) and the older Cisco model set that I am missing here? Any help would be greatly appreciated.


Re: VPN site-to-site router upgrade problem