[c-nsp] RES: DMVPN IPSEC Issue

Leonardo Gama Souza leonardo.souza at nec.com.br
Wed Oct 8 15:47:04 EDT 2008


Hi !

Decrease the ISAKMP keepalive.

For example:

crypto isakmp keepalive 10

Cheers,
Leonardo Gama 

-----Mensagem original-----
De: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Felix Nkansah
Enviada em: quarta-feira, 8 de outubro de 2008 15:05
Para: cisco-nsp at puck.nether.net
Assunto: [c-nsp] DMVPN IPSEC Issue

Hi All,
I have a lab setup of 3 routers in a hub-and-spoke topology. I have
configured DMVPN with R1 being the hub. These routers all connect
through a switch.

The problem I experience is that, if the hub router goes off (because I
reboot it or shut down the WAN interface), the ISAKMP and IPSEC
associations remain active on the spokes.

As such when the hub router comes back up, the spokes try to use the
existing SAs to communicate with it, which results in 'Invalid SPI
errors'
on the Hub with no connectivity as such.

I resolve this problem manually by clearing crypto sessions on the
spokes.

I would like to know if there is a way to let the spokes time-out their
SA sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes
unavailable for some seconds.

Waiting on your reply.

Thanks,

Felix
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list