Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
532
Views
0
Helpful
2
Replies

VPN site-to-site router upgrade problem

OscarCastillo
Level 1
Level 1

‎11-10-2006 02:20 PM - edited ‎02-21-2020 01:18 AM

Hello,

I have several site-to-site IPSEC VPN tunnels(using pre-shared keys) built from several 3640's(using FastEthernet) running IOS 12.2-17 to a VPN 7140 agragate(Also via FastEthernet) running IOS 12.2-15.T8. All has worked well for years. I am now upgrading all remote VPN endpoints (3640's) to 1841(FastEthernet) running IOS Advance Security 12.4-10a(with F/W and IPS turned off). One site is switched to an 851(FastEthernet) running IOS Advanced Security 12.3-8.YI2(Also with F/W and IPS turned off). All VPN endpoints are still using the exact same pre-shared keys to the VPN 7140 agragate. The tunnels work well initially allowing all IP traffic to a specific subnet and a small range of UDP packets to another subnet. After 15 - 30 minutes of inactivity of the application using the UDP packets I start to see the following messages on all endpoint 1841 and 851 routers:

IPSEC(crypto_map_check_encrypt_core): mtree says we have SA but couldn't find current outbound SA. dropping pak. pak->cryptoflags=0x820

When this message appears the small UDP packet range stops traveling through the tunnel. However all IP packets to the other subnet still works fine. The problem is cleared if I run a "clear cry sa" on all endpoint routers as well as on the 7140 VPN agragate until the UDP packet inactivity at the remote endpoints begins again. I've tried upgrading the IOS on the 7140 VPN agragate to IOS 12.3-12e to no avail. I tried switching the IOS on the remote 1841 routers to the IOS Advanced IP Services 12.4-10a(No F/W or IPS features built in) thinking that there may be a default F/W or IPS setting turned on with the Advanced Security 12.4-10a even though both features are turned on by default and the problem still persists.

Is there some sort of incompaibility issue between the newer Cisco routers(1800 series and 800 series) and the older Cisco model set that I am missing here? Any help would be greatly appreciated.

0 Helpful
2 Replies 2

m.sir
Level 7
Level 7

‎11-14-2006 12:28 AM

Can you try add following command on both endpoints:

crypto map local-address

where interface is you outside interface

It binds crypto map to physical outbound interface

M.

0 Helpful

OscarCastillo
Level 1
Level 1
In response to m.sir

‎11-15-2006 09:09 AM

Hello,

The recommended command did not work. I also tried adding a crypto keep alive statement to re-negotiate the SA every 5 minutes of tunnel idl-time and that still did not work. Please see attached VPN endpoint and agragate router configs for additional information. Furthermore, the debug crypto ipsec and debug crypto isakmp commands show that there are outbound SAs after applying the command. The debug commands also show activity for ports 500, 51, 0 and ports in the range identified by the tunnel endpoint acls. Are the ISAKMP ports 500 and 51 supposed to traverse through the tunnel as well?

26309-agragate.config
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card