Sometimes our great configured IPSec tunnels flapping. What is means?
That means then interfaces first shut down and by short time move up.
I will show you what should we do for diagnose this issue.
First check logs by command:
sh logg
result:
2755318: Jul 7 14:46:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel30, changed state to down
2755319: Jul 7 14:46:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel20, changed state to down
2755929: Jul 7 14:48:06: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel20, changed state to up
2756083: Jul 7 14:48:16: %LINEPROTO-5-UPDOWN: Line protocol on Interface Tunnel30, changed state to up
If you saw something like above then tunnel is flapping.
Next use this command for checking status of tunnels:
sh crypto isakmp sa
result:
IPv4 Crypto ISAKMP SA
dst src state conn-id status
x.x.x.x x.y.z.z QM_IDLE 1194 ACTIVE
y.y.y.y x.y.z.z QM_IDLE 1193 ACTIVE
If status is ACTIVE then crypto key has been exchanged correct.
Next important command is:
sh crypto session brief
this command allow us to check status of all tunnels.
Last command is:
sh crypto session detail
In this command important is uptime parameter. It maight be useful when we want know how long tunnel is running.
This commands are useful for basic troubleshooting. In future I will write more detail information.
