Troubleshooting VPN S2S takes patience

Hello

I’ve found a number of times that if you have a crypto map that is applied to an interface, changes made to the transform-set that is applied to this interface are not applied instantaneously. So e.g. you have this crypto map:

crypto map MYMAP ipsec-isakmp 10

set peer 8.8.8.8

set security-association lifetime kilobytes 4608000
set security-association lifetime seconds 3600

set transform-set MYSET
set pfs group5
match address MY_INTERESTING_TRAFFIC

Now if you change MYSET, your router may still send out the old MYSET. Solution no1:

  • be patient, wait 15 minutes
  • clear the crypto map, apply it again
  • shut and unshut the interface

So if you’re troubleshooting a broken S2S VPN, make one change, wait 15 minutes, check, if it’s still not working only THEN make another change.

Today I spent 80 minutes in a troubleshooting session with an engineer from the remote end trying one thing after another and nothing worked. We ended the session and set up another one for the next day. I  reverted the config to the original settings + made 1 change that should be ok (but it still wasn’t ok! ), went shopping, came back, and it just worked!

 

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Wyloguj /  Zmień )

Zdjęcie na Google

Komentujesz korzystając z konta Google. Wyloguj /  Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Wyloguj /  Zmień )

Zdjęcie na Facebooku

Komentujesz korzystając z konta Facebook. Wyloguj /  Zmień )

Połączenie z %s