I've been using OS 8.0(3) on ASA for Dynamicmap. It's site to site VPN with hub and spokes environment. Hub router is using static ip address. Spoke routers are using dynamic ip addresses. The problem is that multiple tunnels of the same branch site are connecting to HQ. HQ will get stuck on that. Can't encrypt/decrypt. I did search. it would relate to these bugs.
CSCsg86538 Bug Details
Dynamic L2L tunnel fails if the remote peer ip is changed
Remote peer fails to re-establish the dynamic VPN tunnel once a new ip address is obtained. The
IKE phase II has to timeout on ASA side inorder to restablish the tunnel.
The peer ip address changes
Peer does not support IKE keepalive
Manually clear the ipsec peer on ASA
CSCsl51292 Bug Details
IPSEC VPN tunnel on 8.0.3 fails every couple days.
ASA running version 8.0.3, fails all IPSEC tunnels lan to lan and remote access vpn tunnels after 2 days or so. No logs from when it failed, but after it fails and turning on logging, can see that it fails Phase 1 MSG 4.
We see that the symptom of this problem shows up in show memory- where the Crypto free goes to 0%:
Crypto free: 0 bytes ( 0%)
Crypto used: (26%)
This is not related to any SSL functionality that we can tell at this time.
CSCso50996 Bug Details
ASA dropping the packet instead of encrypting it
ASA/PIX stops encrypting data to a remote IPSec peer (either L2L or Remote
The problem is that after an IPSec SA goes down and comes back up (including
phase 2 rekeys), it's possible that a duplicate vpn-context and classifier
entry are created and added to the ASA's ASP classifier table for crypto. The
ASA should only have a single ASP classifier/vpn-context per IPSec flow (ie.
inbound vs. outbound) in its database.
Reload the ASA.
However,I can't use keepalive to solve this problem. Because third party routers have been using at branch sites. As document cisco says keepalive works with cisco family. (grin)
You guys who can recommend me which IOS is stable enough for this kind of this scenario(dynamic map). Please advise.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :