Hello, we have a number of different routers installed providing a GETVPN topology. We have a pair of 3925 routers at our HQ that seemed to fail on their GETVPN capability. In fact it is safe to say that GETVPN tends to fail/freeze more often than we would like on our WAN.
A check of the key server with command show gdoi ks members showed the failed routers still in the table, so we cleared them out manually, still no joy. We then cleared out the ISAKMP SA table, still no joy. We then rebooted on of the routers and we saw the registration to the KS and the KS acknowledge it as a member and phase 2 was established, ACLS pushed etc and this router could encrypt permitted traffic once more.
So we decided as we need to get an RCA for the issue we worked on the secondary which was still failing to register. We could see MAC and ARP details of connected devices but no IP reachability nor OSPF peers, even though in the ARP table. (Our fail close ACL allows ESP etc and OSPF)
We again tried manually resetting the gdoi process but no activity could be seen other than a periodic log output of the router trying to register. (The key server did not see these registration requests). We checked the L2 switches in between and no errors could be found. We then removed the crypto map and OSPF and L3 reachability was restored. As soon as we reapplied the crypto map the traffic again ceased.
I am certain a reboot will restore the router but I would appreciate any subject matter experts to advise what may be causing these symptoms and any fixes or configuration gotchas. I have scoured the bug toolkit for 15.2.4(M2) but no GETVPN or crypto messages are shown, even an extended search over a year old.
Can any one help explain or deduce why traffic halts with a GETVP Member until it is rebooted?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...