Running several 2800 series H323 gateways that have DMVPN IPSEC tunnels back to corporate office. The event logs show phones unregistering and going into fallback but doesnt show any tunnel INT down. Monitoring tools (whats up gold) shows the sites to go down but again no tunnel interfaces appear down. Phone's unregister and reregister within 5 mins. Tests from carrier show clean according to them. Sites and outages appear random.
Does anyone have any experience with problems like these?
I also forgot to mention that we only detect this problem when looking at our routers as IPPHONE-6-reg_alarms. This happens on different phones, at different spokes on the WAN at random times. It's a major issue because I think it's a network issue and not a phone issue but I can't figure it out.
Well , I am not an expert on DMVPN , but problem appears to timeout ( ISAKMP/IPSEC) , Few things to check :-
1> Lifetime for isakmp policy on hub & spoke should be same and high.
2> You can also try ISAKMP keepalive on both ends.
3> any vpn-idle or session timeout configuration on both hub or spoke causing the tunnel to break.
Thank you for the reply Manish
I'm going to add a doc of the config so that it may help. Also on number 3 of your response "vpn-idle or session timeout" part. Where do I look for those, as I think I'm going insane and cant remember where to find that information.
Thanks again in advance.
Do have any Logs from the spoke , sh logging might show why the tunnel
was dropped. + option 3 in my reply is not applicable to your senario.
Sorry, missed it earlier --> can you post output from spoke that was having issues :-
sh dmvpn detail
sh crypto isakmp sa
Thanks again for the help. Attached is the output you've requested.
Also to your earlier post about the sys logs... I've set traps on the same spoke that is in this document and hopefully will have an output file tonight with the data.
The default IPSEC lifetime is 3600 sec and default for ISAKMP is 1440 minutes. so , I think you should increase the timeout for IPSEC security assiciation to atleast 12 hrs. here's the link describing timeouts on cisco devices and how to change it. If you see the output of sh dmvpn de , you can see the lifetime and then ipsec sa will reestablish and may be causing issues with your Phone system.
fvrf: (none), Phase1_id: 22.214.171.124
IPSEC FLOW: permit 47 host 126.96.36.199 host 188.8.131.52
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 6658 drop 0 life (KB/Sec) 4470346/682
Outbound: #pkts enc'ed 26 drop 0 life (KB/Sec) 4471667/682
Hope it helps
Thank you again
I will give these changes a try and let you know how it comes out.
I should know very quickly as I've been getting alerts about every 4 hours on random spokes.