I've had a local 620 & a master 3200 in place for several months with no problems whatsoever. All of a sudden, I no longer have my IPSEC tunnel between the two. I have confirmed that both sites have full internet connectivity and clients at either end are able to access external resources.
Here is Topology Below:
620 > VLAN1 DHCP 192.168.0.2 > Modem 192.168.0.1 > Public IP > INTERNET > Router doing NAT > 3200
Local 620 Config:
masterip ipsec ****** interface vlan 1
!
interface vlan 31 ip address 192.168.31.1 255.255.255.0
ip nat inside operstate up description "LAN"
!
ip default gateway 192.168.0.1
Debug: Nov 14 21:27:52 :103060: |ike| exchange.c:exchange_negotiation_state_inprog:2708 Ipsec map default-local-master-ipsecmap is marked negotiation-inprogress
Nov 14 21:27:52 :103060: |ike| exchange.c:exchange_start_pre_connect:3225 IKE negotiation in progress for map default-local-master-ipsecmap
Nov 14 21:28:12 :103063: |ike| ->Delete AGGRESSIVE Exchange ic de0f30e6fe652351 rc 0000000000000000
Nov 14 21:28:12 :103063: |ike| modp_free entered
Nov 14 21:28:12 :103060: |ike| exchange.c:exchange_negotiation_state_done:2724 Ipsec map default-local-master-ipsecmap is marked negotiation-done
Nov 14 21:28:13 :103060: |ike| if.c:GetIPAddrByVlanId:209 vlan 1 ip 192.168.0.2
Nov 14 21:28:13 :103060: |ike| ipc.c:controlplaneArpModify:4012 Failed to Delete ARP error No such device or address
Nov 14 21:28:13 :103063: |ike| New(1) AGGRESSIVE Exchange ic e06241d1b84b40e0 rc 0000000000000000
Nov 14 21:28:13 :103063: |ike| ike_phase_1_initiator_send_SA policy:10001 enc:5 hmac:2 auth:1 group:2
Nov 14 21:28:13 :103063: |ike| group_get entered id:2 Nov 14 21:28:13 :103063: |ike| group_get ike_group:0x10000178
Nov 14 21:28:13 :103063: |ike| modp_init entered Nov 14 21:28:13 :103063: |ike| group_get group:0x101d1c3c
Nov 14 21:28:13 :103060: |ike| ike_phase_1.c:ike_phase_1_initiator_send_SA:415 peer:
Nov 14 21:28:13 :103063: |ike| ike_phase_1_send_KE_NONCE caCert:none Nov 14 21:28:13 :103063: |ike| ike_phase_1_send_KE_NONCE
Nov 14 21:28:13 :103060: |ike| if.c:GetIPAddrByVlanId:209 vlan 0 ip 192.168.31.1
Nov 14 21:28:13 :103060: |ike| ike_phase_1.c:ike_phase_1_send_ID:1744 with SwitchIP 192.168.31.1
Nov 14 21:28:13 :103063: |ike| ike_phase_1_send_ID Nov 14 21:28:13 :103060: |ike| exchange.c:exchange_negotiation_state_inprog:2708 Ipsec map default-local-master-ipsecmap is marked negotiation-inprogress
Local Show Datapath Session 4500:
(aructrl-la) #show datapath session | include 4500
68.99.67.221 192.168.0.2 17 4500 10000 0/0 0 0 0 local 400 FNY
192.168.0.2 68.99.67.221 17 4500 4500 0/0 0 0 1 local 400 FSC
On the Master show datapath session, I only see 4500 for my other functioning local controllers. Thoughts?
#3200