Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1221
Views
0
Helpful
3
Replies

VTI tunnel interface protocol goes DOWN during ipsec re-key

1604BVKAS
Level 1
Level 1

‎07-01-2014 12:51 AM - edited ‎03-04-2019 11:15 PM

I have routers 2801 and 2921 with IPSec static virtual tunnels (VTI) configured. Sometimes during ipsec re-key goes the VTI tunnel protocol DOWN. ISAKMP and IPSEC SA are OK, elapsed time of both lifetime is same as time from tunnel protocol down. I must reconnect tunnel interface manual with clear crypto sa. Between this routers are only switches of our ISP and optical connections. Ping aren't longer than 40 ms. Do you have any idea why this happened?



 

crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key xxxx address 10.64.0.1
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3
!
crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile sVTI
set transform-set AES256-SHA
!
interface Tunnel2
bandwidth 100000
ip address 10.64.1.2 255.255.255.252
ip mtu 1400
tunnel source GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel destination 10.64.0.1
tunnel path-mtu-discovery
tunnel protection ipsec profile sVTI


 

Labels:
0 Helpful
3 Replies 3

Vasilii Mikhailovskii
Level 7
Level 7

‎07-05-2014 11:26 AM

Hello.

What IOS version are you using?

You might be missing 

crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10 3

on the other side.

PS: no need for path-mtu-discovery on your tunnel, but recommended to have ip tcp adjust-mss 1360

PS2: try to low IPSEC lifetime (set security-association lifetime seconds ?14400)

PS3: for ipsec ipv4 you need IPSec tunnel mode (not sure if you use transport).

0 Helpful

1604BVKAS
Level 1
Level 1
In response to Vasilii Mikhailovskii

‎07-06-2014 10:28 PM

Hello,

IOS version on 2801 is 12.4(9)T5 and on 2921 is 15.2(4)M1. Configuration on the both side is same (except IP addresses). IPSec is in tunnel mode (default settings). I think that this fault is only when ISAKMP timelife expired and have to re-key. On LAN interface I was set ip tcp adjust-mss 1360 in the past.
 

0 Helpful

Vasilii Mikhailovskii
Level 7
Level 7
In response to 1604BVKAS

‎07-06-2014 10:36 PM

First of all I would suggest to update 2801 to 12.4(15)T<13/17> or 12.4(24)T<8/9>; and 2921 to 15.2(4)M6a

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card