Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Dual ISP DMVPN Spoke Failover - IPSEC/IKE Issue

I'm trying to configure WAN failover for my DMVPN spokes that are running in a Dual Cloud Topology. Currently, I have two tunnels with seperate NHRP networks. Both of the tunnel interfaces are configured to use a Loopback as source, taking the preferred route to the internet (Broadband with a Cellular Backup).

The problem I am running into is what appears to be cached Crypto SA's. Once the primary ISP fails, my tunnels go into a IKE/IPSEC state. I've tried setting the IKE and IPSEC lifetimes as low as possible. But no joy. Same thing when I fail back. 

Sanitized config is below... Any ideas? 

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
 lifetime 60
crypto isakmp key MyPSK address 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode transport
!
crypto ipsec profile IPSEC_Profile
 set security-association lifetime seconds 120
 set security-association idle-time 60
 set transform-set ESP-3DES-SHA
!
!
interface Loopback0
 ip address 10.70.2.254 255.255.255.255

 

 

interface Tunnel10
 description DMVPN Cloud A
 bandwidth 10000
 ip address 10.80.50.200 255.255.254.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 2
 no ip split-horizon eigrp 2
 ip flow ingress
 ip flow egress
 ip nhrp authentication somepass
 ip nhrp map multicast dynamic
 ip nhrp map 10.80.50.1 1.2.3.4
 ip nhrp map multicast 1.2.3.4
 ip nhrp network-id 20
 ip nhrp holdtime 300
 ip nhrp nhs 10.80.50.1
 ip tcp adjust-mss 1360
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key "key"
 tunnel protection ipsec profile IPSEC_Profile shared
!
interface Tunnel20
 description DMVPN Cloud B
 bandwidth 10000
 ip address 10.81.50.200 255.255.254.0
 no ip redirects
 ip mtu 1400
 no ip next-hop-self eigrp 2
 no ip split-horizon eigrp 2
 ip flow ingress
 ip flow egress
 ip nhrp authentication somepass
 ip nhrp map multicast dynamic
 ip nhrp map 10.81.50.1 5.2.1.3
 ip nhrp map multicast 5.2.1.3
 ip nhrp network-id 30
 ip nhrp holdtime 300
 ip nhrp nhs 10.81.50.1
 ip tcp adjust-mss 1360
 tunnel source Loopback0
 tunnel mode gre multipoint
 tunnel key "key"
 tunnel protection ipsec profile IPSEC_Profile shared

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

ISAKMP Debug....

 

*Mar 17 15:58:36.689: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.2.3.4)
*Mar 17 15:58:36.689: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.2.3.4)
*Mar 17 15:58:48.653: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 1.2.3.4)
*Mar 17 15:58:48.653: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 1.2.3.4)
*Mar 17 15:59:06.689: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.70.2.254, remote 1.2.3.4)
*Mar 17 15:59:06.689: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 17 15:59:06.689: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 17 15:59:36.688: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.2.3.4)
*Mar 17 15:59:36.688: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.2.3.4)
*Mar 17 16:00:06.688: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.70.2.254, remote 1.2.3.4)
*Mar 17 16:00:06.688: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 17 16:00:06.688: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 17 16:00:36.688: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.2.3.4)
*Mar 17 16:00:36.688: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.2.3.4)
*Mar 17 16:00:51.892: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 1.2.3.4)
*Mar 17 16:00:51.892: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 1.2.3.4)
*Mar 17 16:01:06.688: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.70.2.254, remote 1.2.3.4)
*Mar 17 16:01:06.688: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 17 16:01:06.688: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 17 16:01:36.688: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.2.3.4)
*Mar 17 16:01:36.688: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.2.3.4)
*Mar 17 16:02:06.688: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.70.2.254, remote 1.2.3.4)
*Mar 17 16:02:06.688: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 17 16:02:06.688: ISAKMP: Error while processing KMI message 0, error 2.
*Mar 17 16:02:36.688: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.2.3.4)
*Mar 17 16:02:36.688: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 1.2.3.4) n
*Mar 17 16:02:46.980: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 1.2.3.4)
*Mar 17 16:02:46.980: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (R) MM_SA_SETUP (peer 1.2.3.4)int tu10
*Mar 17 16:03:06.688: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 10.70.2.254, remote 1.2.3.4)
*Mar 17 16:03:06.688: ISAKMP: Error while processing SA request: Failed to initialize SA
*Mar 17 16:03:06.688: ISAKMP: Error while processing KMI message 0, no debug crypto isakmp sa

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

220
Views
0
Helpful
0
Replies