Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Crypto IPSEC tunnel issue

We have one of the spoke sites which is having a VPN connection to the Hub Site. It has Crypto IPSEC tunnel configured. The problem is when the internet connection goes down from ISP side, and when it come up the IPSEC tunnel is not able to re-initiate automatically. We need to reboot router and modem (Provided by ISP). Then only it starts initiating session with remote peer.We have DSL connection provided by ISP. It goes down frequently and after coming UP the VPN connection is not getting recover. Is this issue related to any H/W model or IOS?

8 REPLIES

Re: Crypto IPSEC tunnel issue

You could try to enable 'crypto isakmp keepalives' and see if they help.

Regards

Farrukh

New Member

Re: Crypto IPSEC tunnel issue

Thanks Farrukh for reply. We have already configured crypto isakmp keepalives 10. But it didnt solve our problem

Re: Crypto IPSEC tunnel issue

You could try configuring the Invalid SPI recovery feature, maybe it can solve your issue.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html

Regards

Farrukh

New Member

Re: Crypto IPSEC tunnel issue

Thanks Farukh for your suggestion. I have enabled the Invalid spi recovery feature in on the crypto map but no luck. Any other suggestions please?

Re: Crypto IPSEC tunnel issue

Do you properly get the IP address on your dailer interface after the ISP connection comes back? Have you enabled SPI recovery and keepalives on both tunnel end-points?

Regards

Farrukh

New Member

Re: Crypto IPSEC tunnel issue

When internet gets diconnected the IPSec SA status gets change to MM_NO_STATES. It should change to QM_IDLE or active automatically when the internet recovered. But it is not getting changed. We need to reboot router and then only it gets connected I have configured keep alives on both the site. I will enable SPI recovery on the hub site also and check and let you know. Thanks for reply

Re: Crypto IPSEC tunnel issue

Also if possible try to upgrade the IOS to the latest version in that major release. What IOS are you running by the way? (On both sides)

Regards

Farrukh

New Member

Re: Crypto IPSEC tunnel issue

We are using 12.3 T8 version on the both side.

Regards,

Chinmay

336
Views
0
Helpful
8
Replies
CreatePlease login to create content