Discussion:
[c-nsp] DMVPN IPSEC Issue
Felix Nkansah
2008-10-08 18:05:11 UTC
Permalink
Hi All,
I have a lab setup of 3 routers in a hub-and-spoke topology. I have
configured DMVPN with R1 being the hub. These routers all connect through a
switch.

The problem I experience is that, if the hub router goes off (because I
reboot it or shut down the WAN interface), the ISAKMP and IPSEC associations
remain active on the spokes.

As such when the hub router comes back up, the spokes try to use the
existing SAs to communicate with it, which results in 'Invalid SPI errors'
on the Hub with no connectivity as such.

I resolve this problem manually by clearing crypto sessions on the spokes.

I would like to know if there is a way to let the spokes time-out their SA
sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes
unavailable for some seconds.

Waiting on your reply.

Thanks,

Felix
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Rodney Dunn
2008-10-08 20:04:49 UTC
Permalink
I think you need DPD on the spokes for that to happen.

crypto isakmp keepalive 10 2

Rodney
Post by Felix Nkansah
Hi All,
I have a lab setup of 3 routers in a hub-and-spoke topology. I have
configured DMVPN with R1 being the hub. These routers all connect through a
switch.
The problem I experience is that, if the hub router goes off (because I
reboot it or shut down the WAN interface), the ISAKMP and IPSEC associations
remain active on the spokes.
As such when the hub router comes back up, the spokes try to use the
existing SAs to communicate with it, which results in 'Invalid SPI errors'
on the Hub with no connectivity as such.
I resolve this problem manually by clearing crypto sessions on the spokes.
I would like to know if there is a way to let the spokes time-out their SA
sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes
unavailable for some seconds.
Waiting on your reply.
Thanks,
Felix
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Terry Baranski
2008-10-08 22:03:39 UTC
Permalink
Yep -- though on both sides, right? My understanding is DPD is negotiated
and only used if both sides support it.

-Terry
-----Original Message-----
Sent: Wednesday, October 08, 2008 4:05 PM
To: Felix Nkansah
Subject: Re: [c-nsp] DMVPN IPSEC Issue
I think you need DPD on the spokes for that to happen.
crypto isakmp keepalive 10 2
Rodney
Post by Felix Nkansah
Hi All,
I have a lab setup of 3 routers in a hub-and-spoke topology. I have
configured DMVPN with R1 being the hub. These routers all
connect through a
Post by Felix Nkansah
switch.
The problem I experience is that, if the hub router goes
off (because I
Post by Felix Nkansah
reboot it or shut down the WAN interface), the ISAKMP and
IPSEC associations
Post by Felix Nkansah
remain active on the spokes.
As such when the hub router comes back up, the spokes try to use the
existing SAs to communicate with it, which results in
'Invalid SPI errors'
Post by Felix Nkansah
on the Hub with no connectivity as such.
I resolve this problem manually by clearing crypto sessions
on the spokes.
Post by Felix Nkansah
I would like to know if there is a way to let the spokes
time-out their SA
Post by Felix Nkansah
sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes
unavailable for some seconds.
Waiting on your reply.
Thanks,
Felix
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Leonardo Gama Souza
2008-10-08 19:47:04 UTC
Permalink
Hi !

Decrease the ISAKMP keepalive.

For example:

crypto isakmp keepalive 10

Cheers,
Leonardo Gama

-----Mensagem original-----
De: cisco-nsp-***@puck.nether.net
[mailto:cisco-nsp-***@puck.nether.net] Em nome de Felix Nkansah
Enviada em: quarta-feira, 8 de outubro de 2008 15:05
Para: cisco-***@puck.nether.net
Assunto: [c-nsp] DMVPN IPSEC Issue

Hi All,
I have a lab setup of 3 routers in a hub-and-spoke topology. I have
configured DMVPN with R1 being the hub. These routers all connect
through a switch.

The problem I experience is that, if the hub router goes off (because I
reboot it or shut down the WAN interface), the ISAKMP and IPSEC
associations remain active on the spokes.

As such when the hub router comes back up, the spokes try to use the
existing SAs to communicate with it, which results in 'Invalid SPI
errors'
on the Hub with no connectivity as such.

I resolve this problem manually by clearing crypto sessions on the
spokes.

I would like to know if there is a way to let the spokes time-out their
SA sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes
unavailable for some seconds.

Waiting on your reply.

Thanks,

Felix
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
d lists
2008-10-09 02:28:27 UTC
Permalink
crypto isakmp invalid-spi-recovery
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html

-dlists
Post by Felix Nkansah
Hi All,
I have a lab setup of 3 routers in a hub-and-spoke topology. I have
configured DMVPN with R1 being the hub. These routers all connect through a
switch.
The problem I experience is that, if the hub router goes off (because I
reboot it or shut down the WAN interface), the ISAKMP and IPSEC associations
remain active on the spokes.
As such when the hub router comes back up, the spokes try to use the
existing SAs to communicate with it, which results in 'Invalid SPI errors'
on the Hub with no connectivity as such.
I resolve this problem manually by clearing crypto sessions on the spokes.
I would like to know if there is a way to let the spokes time-out their SA
sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes
unavailable for some seconds.
Waiting on your reply.
Thanks,
Felix
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Felix Nkansah
2008-10-10 08:55:15 UTC
Permalink
Thanks to you all for your comments.
I would apply them as suggested.
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Loading...