| Hi Kings, I use the shared profile in combination with isakmp profiles. What I found, whether it is multiple tunnels or one tunnel and ezvpn / site-to-site tunnels) on a single router, sometimes, altough the isakmp profile should restrict it, the inbound sa would be set into a different sadb then the outbound sa. E.g. For tunnel0 inbound the spoke sa would be in the system, or even the wrong tunnel, while the outbound would be in the tunnel0 sadb. What then happens is for example eigrp flapping, nhrp registration not working, etc.. Basically traffic comes in, but can't get out, or vice versa, that traffic isn't even hitting the tunnel interface. So to prevent it, I specify shared on all tunnels, so that the sadb between the tunnels is shared. In production it means that you have a short interruption on the database. What do you mean with that the same SA is valid? Where did you put the shared profile, on the hub side, or the spoke side? Kind regards PJ On 13 sep 2010, at 14:43, Kingsley Charles wrote:
--- Nefkens Advies Enk 26 4214 DD Vuren The Netherlands Tel: +31 183 634730 Fax: +31 183 690113 Cell: +31 654 323221 Email: [email protected]  Think before you print. |
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
