I have an ASA in our central office and an ASA in our branch office. We run an ipsec site to site VPN, that works fine. Yesterday it just stopped (in the branch office), investigations suggested that the tunnel was up but no packets were being encrypted or decrypted (sho crypto ipsec sa). i then did a debug crypto ipsec 2 and got the following message:
It was here that we noticed that the SPI's in the sho crypto ipsec sa didn't match the SPI's coming from the central office. I tried clearing the crypto ipsec sa, but that didn't work so i rebooted the FW. When it came back up it started working again, and the SPI's matched.
The problem is it happened again 15 hours later.
Can anyone tell me what thr SPI is and why it might not match with the central office?
SPI's are security numbers negotiated during tunnel establishment, they help to identify the traffic coming thru this tunnel.
Whey they did not match can depend on various reasons, the main one is when the tunnel on one end drops down and tries to regenerate the tunnel to the other end, when this happens they security numbers are regenerated and they do not match, this condition is present when no keepalives or Dead Peer Detection is enabled on the vpn endpoints and the behavior occurs cause none of the vpn endpoint is aware that the tunnel or peer is down and "believes" that there is no need to renegotiate the tunnel.
When you cleared this IPSEC SA did you do it on the Central or the Branch? usually you would need to clear it on both to make this tunnel to be rebuilt.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :