Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

lap
New Member

IPsec Tunnel hanging from time to time on Cisco router

Hi all,

We have a customer with a DMVPN network. On some locations we have some issue where the IPsec/GRE tunnel to the headend is hanging from time to time (every two/trhree days) and no traffic can be pass through anymore. The solution is to restart the router and everything works again find.

We have configured crypto call admission limit ike in-negotiation-sa 10 as I have heard that too many IKE request can make the router to crash,

But have your guys any idea on what could cause the IPsec/GRE tunnel to hang?

Platform: Cisco 1812

Version: 12.4(15)T11

Feature: advipservices

Best regards,

Laurent

5 REPLIES
Cisco Employee

IPsec Tunnel hanging from time to time on Cisco router

Laurent,

Call Admission Control is indeed good practice for big deployments. You can check:

show crypto call admission statistics

for hints about drops. Crash it should not, but it can get overwhelmed (DoS or DDoS attack).

Are the dropping spokes by any chance behind NAT and/or have dyamic public IP address?

Typically the problem is either related to crypto socket or NHRP mapping. Instead of reloading the router, try removing and re-adding the tunnel interface configuration on the affected spoke (this should cause crypto socket to be re-freshed).

Marcin

lap
New Member

IPsec Tunnel hanging from time to time on Cisco router

Marcin,

Thanks for your reply!

sh crypto call admission statistics

---------------------------------------------------------------------

               Crypto Call Admission Control Statistics

---------------------------------------------------------------------

System Resource Limit:        0 Max IKE SAs:     0 Max in nego:    10

Total IKE SA Count:           4 active:          4 negotiating:     0

Incoming IKE Requests:     1093 accepted:      816 rejected:      277

Outgoing IKE Requests:      516 accepted:      466 rejected:       50

Rejected IKE Requests:      327 rsrc low:        0 SA limit:      327

IKE packets dropped at dispatch:        0

The spokes having this issue are not behind nat and have a static public IP.

If I do a show crypto isakmp sa there are 40 active tunnels on the router. Can it be a bug on this software version?

Regards,

Laurent

Cisco Employee

IPsec Tunnel hanging from time to time on Cisco router

Laurent,

You will keep isakmp/ipsec SAs for each spoke-to-spoke and spoke-to-hub tunnel... so 40 tunnels are not neccessarily bad. But let's see them.

M.

lap
New Member

IPsec Tunnel hanging from time to time on Cisco router

Hi Marcin,

What do you want to see some output?

Regards,

Laurent

Cisco Employee

IPsec Tunnel hanging from time to time on Cisco router

Laurent,

let's start with

"show crypto isakmp sa"

and

"show ip nhrp det'

during the problem :-)

But I would say for problems of this nature, better open a TAC case.

Marcin

732
Views
0
Helpful
5
Replies