We have about 9 1900 routers and 1 ASA 5510 for partail mesh VPN network. So 8 1900 connect to 1 1900 and ASA located in HQ and datacenter. All worked well however there is one site running really strange. The tunnel between 1900 is up for a while and down. Reboot router seems to be the only fix. But tunnel to ASA does not seem to be down at all.
The issue happened again today, we rebooted the router on site but tunnel still not up. DEBUG shows:
To me it seems like the IDE packet sent but never got reply and timed out. I did also check on the other end, the HQ. All other tunnels are still running fine on that router, just this remote site. Plus I got the similiar output when debugging on HQ router.
One thing do notice though, there was no match on both router for the ACL to match/permit ESP traffic... I asked on-site staff to reboot the modem used in remote site.
But I still want to ask here to see if you guys there is also other things I also would need to check.
I called Cisco TAC and the guy on phone did not fixed the issue but saying zone based firewall is the cause. I removed ICMP from inspect rule under in-out policy and added a pass rule for ICMP under the same in-out policy, then the ping start working between 2 sites.
However, my other 6 tunnels (all use the same 1900 model) can send ICMP through even I leave the ICMP under inspect rule. Now I start wondering what is really the difference between inspect and pass for each class/traffic map!?
The Inspect rule instruct the traffic for that class to be inspected by the router, (the router creates inspection table). this inspection table matches the outgoing traffic and directly permits return traffic for that class. So if your inspecting ICMP, your router should directly permits ICMP replies.
However, with the Pass rule, you would need to policies, the first one matches outging traffic class and the second policy permits the inbound traffic or whether permiting one of the two. The Pass rule means to pass traffic inbound or outbound but it doesnt creats any inspection. As you know , once you create ZBF, each traffic between Zone members is denied by default unless you explicitly permit traffic from one zone to another using the "pass" rule or "inspect" rule under the required policy.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :