Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

VTI tunnel interface protocol goes DOWN during ipsec re-key

I have routers 2801 and 2921 with IPSec static virtual tunnels (VTI) configured. Sometimes during ipsec re-key goes the VTI tunnel protocol DOWN. ISAKMP and IPSEC SA are OK, elapsed time of both lifetime is same as time from tunnel protocol down. I must reconnect tunnel interface manual with clear crypto sa. Between this routers are only switches of our ISP and optical connections. Ping aren't longer than 40 ms. Do you have any idea why this happened?



 

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxx address 10.64.0.1
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3
!
crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile sVTI
set transform-set AES256-SHA
!
interface Tunnel2
bandwidth 100000
ip address 10.64.1.2 255.255.255.252
ip mtu 1400
tunnel source GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel destination 10.64.0.1
tunnel path-mtu-discovery
tunnel protection ipsec profile sVTI



 

Everyone's tags (1)
3 REPLIES

Hello.What IOS version are

Hello.

What IOS version are you using?

You might be missing 

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3

on the other side.

PS: no need for path-mtu-discovery on your tunnel, but recommended to have ip tcp adjust-mss 1360

PS2: try to low IPSEC lifetime (set security-association lifetime seconds ?14400)

PS3: for ipsec ipv4 you need IPSec tunnel mode (not sure if you use transport).

New Member

Hello,IOS version on 2801 is

Hello,

IOS version on 2801 is 12.4(9)T5 and on 2921 is 15.2(4)M1. Configuration on the both side is same (except IP addresses). IPSec is in tunnel mode (default settings). I think that this fault is only when ISAKMP timelife expired and have to re-key. On LAN interface I was set ip tcp adjust-mss 1360 in the past.
 

First of all I would suggest

First of all I would suggest to update 2801 to 12.4(15)T<13/17> or 12.4(24)T<8/9>; and 2921 to 15.2(4)M6a

490
Views
0
Helpful
3
Replies
CreatePlease to create content