[c-nsp] DMVPN IPSEC Issue

d lists dlists95 at gmail.com
Wed Oct 8 22:28:27 EDT 2008


crypto isakmp invalid-spi-recovery
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html

-dlists

On Wed, Oct 8, 2008 at 12:05 PM, Felix Nkansah <felixnkansah at gmail.com>wrote:

> Hi All,
> I have a lab setup of 3 routers in a hub-and-spoke topology. I have
> configured DMVPN with R1 being the hub. These routers all connect through a
> switch.
>
> The problem I experience is that, if the hub router goes off (because I
> reboot it or shut down the WAN interface), the ISAKMP and IPSEC
> associations
> remain active on the spokes.
>
> As such when the hub router comes back up, the spokes try to use the
> existing SAs to communicate with it, which results in 'Invalid SPI errors'
> on the Hub with no connectivity as such.
>
> I resolve this problem manually by clearing crypto sessions on the spokes.
>
> I would like to know if there is a way to let the spokes time-out their SA
> sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes
> unavailable for some seconds.
>
> Waiting on your reply.
>
> Thanks,
>
> Felix
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list