We are implementing IPSEC in all branches.IP Sec we are using dynamic multipoint VPN in which all remote branches initiate IPsec and Isakmp negotiation whenever finacle intresting traffic hits the router and its sucessfully create Phase 1 and 2 session
For DPD we are using on demand polling i.e whenever traffic come, other side availaibilty is checked.
This creates problem when link goes down at remote end ,the core end check availaibilty and clear the session.but at remote end crypto interface goes down ,doesn't clear the session.When link come up session remains on remote end,but cleared at core end.Due to which branch is not able to work.We have to execute clear crypto session,isakamp at remote end to renegotiate the crypto session.To rectify the issue we are putting invalid spi-recovery command on both remote and core end.
But still issue's persisting,session remains on one end and cleared at other end.Secound issue is that branch not able to work whenever branch working on backup interface that does'nt have crypto map command.
To resolve these issues we are thinking to implement periodic polling at both core and remote end.
crypto isakmp keepalive 60 periodic
We have 7206vxr with SA-VAM2+ core and cisco1841 at remote end,around 2700 branches
Kindly advise us that
1)periodic polling is feasible for 2700 branches i.e not cpu intensive.
2)What will be the suitable approx frequency of polling
3)Can we start periodic polling on core and then move to remote branch by branch i.e it is unidirectional
ad.1 periodic DPD will be more CPU intensive then on demand ones. But I have not seen high CPU due to them unless debugging was turned on and timer very aggressive (10-15 seconds).
ad. 2. 30 seconds is a very good interval. I would honestly go further down only if there is some sort of SLA and IPsec is the deciding factor.
ad 3. Yes, you can do it. However based on your scenario I would leave on demand DPDs on core and enable them on branches.
On a higher level. Invalid SPIs are they way to go.
The problem itself is a bit funky, if line protocol goes down on the interface we have in "tunnel source" I would also expect some reaction from crypto subsystem. Can you share your configuration for tunnel interface for one of the branches and sw version
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :