Troubleshooting VPN S2S takes patience


I’ve found a number of times that if you have a crypto map that is applied to an interface, changes made to the transform-set that is applied to this interface are not applied instantaneously. So e.g. you have this crypto map:

crypto map MYMAP ipsec-isakmp 10

set peer

set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 3600

set transform-set MYSET
set pfs group5

Now if you change MYSET, your router may still send out the old MYSET. Solution no1:

  • be patient, wait 15 minutes
  • clear the crypto map, apply it again
  • shut and unshut the interface

So if you’re troubleshooting a broken S2S VPN, make one change, wait 15 minutes, check, if it’s still not working only THEN make another change.

Today I spent 80 minutes in a troubleshooting session with an engineer from the remote end trying one thing after another and nothing worked. We ended the session and set up another one for the next day. I  reverted the config to the original settings + made 1 change that should be ok (but it still wasn’t ok! ), went shopping, came back, and it just worked!



Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:


Komentujesz korzystając z konta Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s

%d blogerów lubi to: