Options

VPN Question

marcusaureliusbrutusmarcusaureliusbrutus Member Posts: 73 ■■□□□□□□□□
in CCNP
Hi. I just wish to ask a quick way of troubleshooting a vpn connection and also a way to restart the crypto IKE process. If i remove the crypto map on the interface and apply it again, would that be a good practice? I am asking because our isp went down where our vpn tunnel goes through and when it went back up, ip flow through the vpn is still not going through. Upon checking, the IKE sessions are active.

I would appreciate any advice on this.

Thanks in advance.
· Share on FacebookShare on Twitter

Comments

  • Options
    mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    There are quite a few VPN Troubleshooting documents/guides on the Cisco web site. What hardware are you using?
    marcusaureliusbrutus wrote: »
    a way to restart the crypto IKE process.
    clear crypto ipsec sa command
    and a
    clear crypto isakmp sa command

    But you might want to look into keepalives to have the tunnel recognize the problem and try to reestablish the connection on its own - Cisco IOS VPN Configuration Guide - Network Design Considerations [Cisco 7200 Series Routers] - Cisco Systems
    :mike: Cisco Certifications -- Collect the Entire Set!
    · Share on FacebookShare on Twitter
  • Options
    marcusaureliusbrutusmarcusaureliusbrutus Member Posts: 73 ■■□□□□□□□□
    Hi mikej412,

    Thanks for your reply. Just to clarify though. When i run the "clear crypto sa" command, is this going to cancel the ike connection and all existing ipsec sessions and reinitialize the ike connection? Is it correct to consider that this command would restart the vpn negotiation between peers and would not delete the existing crypto map configuration?

    Thanks.
    · Share on FacebookShare on Twitter
  • Options
    mzinzmzinz Member Posts: 328
    marcusaureliusbrutus wrote: »
    Hi mikej412,

    Thanks for your reply. Just to clarify though. When i run the "clear crypto sa" command, is this going to cancel the ike connection and all existing ipsec sessions and reinitialize the ike connection? Is it correct to consider that this command would restart the vpn negotiation between peers and would not delete the existing crypto map configuration?

    Thanks.

    That is correct, when you do "clear crypto isakmp sa" or "clear crypto ipsec sa" it's just "killing" the tunnel, not deleting ANY configuration. Kinda scary the first time! :)
    _______LAB________
    2x 2950
    2x 3550
    2x 2650XM
    2x 3640
    1x 2801
    · Share on FacebookShare on Twitter
  • Options
    mzinzmzinz Member Posts: 328
    mikej412 wrote: »
    There are quite a few VPN Troubleshooting documents/guides on the Cisco web site. What hardware are you using?


    clear crypto ipsec sa command
    and a
    clear crypto isakmp sa command

    But you might want to look into keepalives to have the tunnel recognize the problem and try to reestablish the connection on its own - Cisco IOS VPN Configuration Guide - Network Design Considerations [Cisco 7200 Series Routers] - Cisco Systems

    Thank you for that link, good info there. Marcus brings up a good point though, and it's something that I have personally seen in my own experience. Sometimes when an internet connection dies abruptly, then comes back up, the head-end will show that the tunnel is down, but the remote end will show that the tunnel is UP... This is even after 30 seconds passes (3 keepalives by default).

    Any idea how to combat this? Maybe a bug in the IOS? (12.4)
    _______LAB________
    2x 2950
    2x 3550
    2x 2650XM
    2x 3640
    1x 2801
    · Share on FacebookShare on Twitter
Sign In or Register to comment.