From: Luan Nguyen (luan@netcraftsmen.net)
Date: Wed Oct 08 2008 - 15:28:07 ART
You could try to configure crypto isakmp invalid-spi-recovery, dead peer
detection and crypto ipsec security-association idle-time.
Word is that Cisco is working on keep alive for DMVPN :)
Luan Nguyen
Chesapeake NetCraftsmen, LLC.
www.NetCraftsmen.net
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Felix Nkansah
Sent: Wednesday, October 08, 2008 2:08 PM
To: Cisco certification
Subject: DMVPN Lab Configuration Issue
Hi All,
I have a lab setup of 3 routers in a hub-and-spoke topology. I have
configured DMVPN with R1 being the hub. These routers all connect through a
switch.
The problem I experience is that, if the hub router goes off (because I
reboot it or shut down the WAN interface), the ISAKMP and IPSEC associations
remain active on the spokes.
As such when the hub router comes back up, the spokes try to use the
existing SAs to communicate with it, which results in 'Invalid SPI errors'
on the Hub with no connectivity as such.
I resolve this problem manually by clearing crypto sessions on the
spokes. The hub doesn't initiate the connection because its tunnel interface
is in GRE Multipoint mode.
I would like to know if there is a way to let the spokes automatically
time-out their SA sessions and re-initiate Phase 1 & 2 negotiations if the
Hub becomes unavailable for some seconds.
Waiting on your reply.
Thanks,
Felix
Blogs and organic groups at http://www.ccie.net
This archive was generated by hypermail 2.1.4 : Sat Nov 01 2008 - 15:35:20 ARST