Sorry about not attaching config.

Short: RouterA has VRFs, RouterB no VRFs (hence config varies).

First post w/log included was from RouterA.

-------------

RouterA config:

-------------

crypto keyring dmvpn_spokes_keys vrf hmvnett
  description DMVPN SPOKE TUNNEL KEYS
  pre-shared-key address [RouterB_IP] key ******
crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp keepalive 20
crypto isakmp profile dmvpn_spokes_isakmp
   vrf hmvnett
   keyring dmvpn_spokes_keys
   match identity address [REMOTE_IP] 255.255.255.255
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto ipsec profile dmvpn_hub
set security-association lifetime seconds 120
set transform-set strong
set isakmp-profile dmvpn_spokes_isakmp
!
interface Tunnel0
bandwidth 8000
ip vrf forwarding hmvvpn
ip address 10.47.2.9 255.255.255.252
no ip redirects
ip mtu 1460
ip tcp adjust-mss 1300
tunnel source GigabitEthernet0/1.50
tunnel destination [RouterB_IP]
tunnel mode ipsec ipv4
tunnel vrf hmvnett
tunnel protection ipsec profile dmvpn_hub
end
!
interface GigabitEthernet0/1.50
encapsulation dot1Q 50
ip vrf forwarding hmvnett
ip address [RouterA_IP] 255.255.255.240
ip nat outside
ip virtual-reassembly max-reassemblies 32
no ip mroute-cache
no snmp trap link-status

-------------

RouterB config:

-------------

crypto isakmp policy 1
encr aes
authentication pre-share
crypto isakmp key ****** address [RouterA_IP]
crypto isakmp keepalive 20
crypto ipsec transform-set strong esp-3des esp-sha-hmac
crypto ipsec profile dmvpn_spoke
set security-association lifetime seconds 120
set transform-set strong
!
interface Tunnel0
bandwidth 8000
ip address 10.47.2.10 255.255.255.252
no ip redirects
ip mtu 1460
ip tcp adjust-mss 1300
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel destination [RouterA_IP]
tunnel protection ipsec profile dmvpn_spoke
!
interface GigabitEthernet0/0
ip address [RouterB_IP] 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

Jorn,

Odd ... you're using a FVRF

interface Tunnel0
bandwidth 8000
ip vrf forwarding hmvvpn
ip address 10.47.2.9 255.255.255.252
no ip redirects
ip mtu 1460
ip tcp adjust-mss 1300
tunnel source GigabitEthernet0/1.50
tunnel destination [RouterB_IP]
tunnel mode ipsec ipv4
tunnel vrf hmvnett
tunnel protection ipsec profile dmvpn_hub
end

And your isakmp profile does not mention the profile in match identity.

match identity address [REMOTE_IP] 255.255.255.255

I believe this should be corrected to :

match identity address [REMOTE_IP] 255.255.255.255 hmvnett

From my lab:

BB_966(config)#crypto isakmp profile TEST_PROFILE
% A profile is deemed incomplete until it has match identity statements
BB_966(conf-isa-prof)#match identity add 1.2.3.4 ?
  A.B.C.D  specify mask
  WORD     Specify the F VRF (default global)
 

BB_966(conf-isa-prof)#match identity add 1.2.3.4

Could very much be a misconfiguration.  Been following examples from the web, but not too many of them contain setups with VRFs.

Strange though, that things have been working at all ? Or could there be some implicit "natural" explanation to this ?

Tried deploying the changes you suggested, and things seem to work fine. Will leave config as it is for now, and see if this is  has been causing the trouble. Will keep you posted if there are any oddities.

Thanks for helping  !!

Jorn,

Sure thing, check it out.

My take on this is that you were seeing different behavior depending who was the initiator ;-)

It's been a while since I was playing with VTI setup if I find some time I'll check it out, but I don't have any setup I could adapt right now.

Marcin

Jorn,

Periodic DPDs are only a way to implement polling if IKE is up, while the messages you're seeing are related to (for some reason) not being able to agree on proposals on phase 2 IPSec, phase 1 which DPDs will use is already up.

We can for sure alleviate the situation, byt setting phase 2 lifetime to a value which is not the minimum - if you want security you add PFS instead of having a very short phase 2 lifetime.

Longer phase 2 liftime means less renegotations of phase 2. Would you mind setting phase 2 lifetime to default (1 hour) and if you want increased security add PFS?

PFS and lifetime settings need to match on both sides.

All in all we'd need to have full debug while the issue starts.

debug cry isa

deb crypto ipsec

deb cry kmi

both sides.

What it looks to me (and this is just me throwing some thoughts in the air, not any factual data - since data is scarce) is either mem leak (would explain why you had to clear also dh ... but I have my doubts) or you're stressing out the control plane due to frequent rekeys which leads to some sort of de-synchronization scenario...

Would it be possible for you to apply PFS and setting back lifetime to default values?

Marcin

Will definitely try what you are suggesting here.

Changes will be deployed when production ends today.

Will dump logs as soon as they contain anything relevant (eg when the tunnel goes down) - or would you rather that I supply logs from normal operation aswell ?

Thanks again btw.

Jorn,

The debugs - you can enabled them freely when you see the issue

Ideally they should be enabled on both sides just before the issue starts, but since we don't have the luxury to know this- enabling during the issue should be fine.

FYI, if too many debugs are popping up you can lmit them to only one peer by using "debug crypto condition peer ipv4 ..."

Marcin

Just wanted to give you a followup on this.

Tried passing this on to Cisco support, but before it even got that far I decided to try your final proposition.

In fact, removing the ivrf reference from the profile worked. It's been stable ever since !

Thumbs up and a big smile to you