[c-nsp] DMVPN IPSEC Issue

[Terry Baranski]

Yep -- though on both sides, right?  My understanding is DPD is negotiated
and only used if both sides support it.

-Terry

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rodney Dunn
> Sent: Wednesday, October 08, 2008 4:05 PM
> To: Felix Nkansah
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] DMVPN IPSEC Issue
> 
> 
> I think you need DPD on the spokes for that to happen.
> 
> crypto isakmp keepalive 10 2
> 
> Rodney
> 
>  On Wed, Oct 08, 2008 at 06:05:11PM +0000, Felix Nkansah wrote:
> > Hi All,
> > I have a lab setup of 3 routers in a hub-and-spoke topology. I have
> > configured DMVPN with R1 being the hub. These routers all 
> connect through a
> > switch.
> > 
> > The problem I experience is that, if the hub router goes 
> off (because I
> > reboot it or shut down the WAN interface), the ISAKMP and 
> IPSEC associations
> > remain active on the spokes.
> > 
> > As such when the hub router comes back up, the spokes try to use the
> > existing SAs to communicate with it, which results in 
> 'Invalid SPI errors'
> > on the Hub with no connectivity as such.
> > 
> > I resolve this problem manually by clearing crypto sessions 
> on the spokes.
> > 
> > I would like to know if there is a way to let the spokes 
> time-out their SA
> > sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes
> > unavailable for some seconds.
> > 
> > Waiting on your reply.
> > 
> > Thanks,
> > 
> > Felix
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>