I have several site-to-site IPSEC VPN tunnels(using pre-shared keys) built from several 3640's(using FastEthernet) running IOS 12.2-17 to a VPN 7140 agragate(Also via FastEthernet) running IOS 12.2-15.T8. All has worked well for years. I am now upgrading all remote VPN endpoints (3640's) to 1841(FastEthernet) running IOS Advance Security 12.4-10a(with F/W and IPS turned off). One site is switched to an 851(FastEthernet) running IOS Advanced Security 12.3-8.YI2(Also with F/W and IPS turned off). All VPN endpoints are still using the exact same pre-shared keys to the VPN 7140 agragate. The tunnels work well initially allowing all IP traffic to a specific subnet and a small range of UDP packets to another subnet. After 15 - 30 minutes of inactivity of the application using the UDP packets I start to see the following messages on all endpoint 1841 and 851 routers:
IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820
When this message appears the small UDP packet range stops traveling through the tunnel. However all IP packets to the other subnet still works fine. The problem is cleared if I run a "clear cry sa" on all endpoint routers as well as on the 7140 VPN agragate until the UDP packet inactivity at the remote endpoints begins again. I've tried upgrading the IOS on the 7140 VPN agragate to IOS 12.3-12e to no avail. I tried switching the IOS on the remote 1841 routers to the IOS Advanced IP Services 12.4-10a(No F/W or IPS features built in) thinking that there may be a default F/W or IPS setting turned on with the Advanced Security 12.4-10a even though both features are turned on by default and the problem still persists.
Is there some sort of incompaibility issue between the newer Cisco routers(1800 series and 800 series) and the older Cisco model set that I am missing here? Any help would be greatly appreciated.
The recommended command did not work. I also tried adding a crypto keep alive statement to re-negotiate the SA every 5 minutes of tunnel idl-time and that still did not work. Please see attached VPN endpoint and agragate router configs for additional information. Furthermore, the debug crypto ipsec and debug crypto isakmp commands show that there are outbound SAs after applying the command. The debug commands also show activity for ports 500, 51, 0 and ports in the range identified by the tunnel endpoint acls. Are the ISAKMP ports 500 and 51 supposed to traverse through the tunnel as well?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...