What is the show crypto ipsec showing? Can you see regular networks as a source and destination for the static tunnel and maybe an SA showing 0.0.0.0 0.0.0.0 that could tell us a dynamic connection.......
Yes probably the SAs got stuck somehow. I tried clearing the SAs but they were still there. I rebooted the hub router and for the first few minutes only 1 SA showed up. After a while the second strange SA showed up again.
Today the strange SA is gone and hasnt showed up.
What I am seeing regularly is that after disconecting the VPN, the 2620 keeps showing an active SA for a long while. This is not the case with the 861W, which immediately deletes and recognizes any expired SA.
In the hub 2620 I am running 12.2(8)T. In the spoke 861W I am running 15.0(1)M7.
Today I ran the show crypto isakmp sa on the hub and got two SAs again as follows:
dst src state conn-id slot
x.x.x.x y.y.y.y QM_IDLE 145 0
y.y.y.y x.x.x.x QM_IDLE 144 0
x.x.x.x is the hub and y.y.y.y is the spoke
However in the spoke the same command showed only one SA:
dst src state conn-id status
x.x.x.x y.y.y.y QM_IDLE 2143 ACTIVE
Show crypto ipsec sa on both hub and spoke showed only one SA.
I noticed that I was only able to ping the spoke's lan from the hub sporadically, that is when the spoke initiated a vpn to the hub. After that SA was deleted, the hub would not initiate a VPN to the spoke.
The phantom SA was still up, but no traffic was going through.
After disabling the firewall acces list in the hub, the second "phantom" SA was immediately deleted and traffic flowed normally. I added a hole to the firewall access list permitting all traffic from y.y.y.y and now everything seems to be working fine.
There is no more phantom SA showing in the hub, and everytime the SA is brought down by the spoke, the hub recognizes it immediately.
In the hub's firewall i was allowing isakmp and esp from any source. I didn't know i had to allow the public address of the spoke as well as it seems some notifications or control strings are sent via the public network.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :