IPSEC tunnels locking up (DMVPN)

wintermute000 · February 05, 2015, 05:38:11 PM

Now we're all used to IPSEC tunnels locking up intermittently and you just bounce them and all is well.

I have a DMVPN with dual hub where the rate of locking up is a bit higher than for my comfort.
The bit that confuses me is that you'll get one of the two tunnels locking up at any time, whilst the other session stays up.
Since this is a certificate based DMVPN, if the ipsec/crypto parameters were invalid, it would lose all connectivity surely (not just to one of the two hubs).

I'm a bit at a loss to know where to start diagnosing, esp as the crypto debugs are a nightmare (to this router guy anyway!!!!) and its nothing obvious like a parameter mismatch in phase1/phase2 or cert mismatch etc. and like I said it can't possibly be that, as you only lose 1 tunnel @ a time (never seen a site drop both tunnels without a straight up WAN issue)

I've checked syslogs for both one example incident and at both ends all I see is the crypto session dropping followed by EIGRP adjacency down, nothing preceding that is related.

deanwebb · February 05, 2015, 07:32:46 PM

Well... can you post the crypto debugs from a fail?

wintermute000 · February 05, 2015, 07:47:48 PM

I'll have to turn then on first. Which ones do you suggest that won't overload a 2911 too much given I have to leave it for days or even weeks

deanwebb · February 06, 2015, 09:21:33 AM

Just ones for IPSEC, can't recall off the top of my head what they are. Can't remember, does having them fire off to a syslog server keep them from piling up in the buffer?

wintermute000 · February 06, 2015, 04:32:06 PM

not stressed re: buffers as it will just overwrite, just slightly concerned re: CPU.

deanwebb · February 06, 2015, 05:18:35 PM

Well, shut down all unused ports so the LED process doesn't wipe you out.

IPSEC tunnels locking up (DMVPN)

wintermute000

deanwebb

wintermute000

deanwebb

wintermute000

deanwebb