I have a DMVPN set up. Hub 3725 with 2691 spokes. Both running IOS 12.3(7)T.
When isakmp sa's expire (1 day), they're deleted and don't reestablish?! When I do a "sh cryp sess" I get a message "Session status: UP-NO-IKE".
Tunnel is up, and traffic is going through. Over the course of a few days, however, there are performance problems. For example, users no longer able to send any email message more than a few lines (Exchange server is at hub). Only fix so far has been to reboot router.
I thought that isakmp sa's are supposed to reestablish after expiration, as long as VPN is still active. Both lifetimes for isakmp and ipsec are 86400.
I was looking for bugs related to your problem but could not find any. Usually, rebooting seems to be the best way out when faced with issues like this. However, that is no guarantee that the issue will not crop up again. You could try to reduce the MTU to a value that is being allowed through in your setup. Another option would be to move back to a GD image.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...