[c-nsp] DMVPN IPSEC Issue
Rodney Dunn
rodunn at cisco.com
Wed Oct 8 16:04:49 EDT 2008
I think you need DPD on the spokes for that to happen.
crypto isakmp keepalive 10 2
Rodney
On Wed, Oct 08, 2008 at 06:05:11PM +0000, Felix Nkansah wrote:
> Hi All,
> I have a lab setup of 3 routers in a hub-and-spoke topology. I have
> configured DMVPN with R1 being the hub. These routers all connect through a
> switch.
>
> The problem I experience is that, if the hub router goes off (because I
> reboot it or shut down the WAN interface), the ISAKMP and IPSEC associations
> remain active on the spokes.
>
> As such when the hub router comes back up, the spokes try to use the
> existing SAs to communicate with it, which results in 'Invalid SPI errors'
> on the Hub with no connectivity as such.
>
> I resolve this problem manually by clearing crypto sessions on the spokes.
>
> I would like to know if there is a way to let the spokes time-out their SA
> sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes
> unavailable for some seconds.
>
> Waiting on your reply.
>
> Thanks,
>
> Felix
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list