What does this line do?

Unanswered Question
May 4th, 2007
User Badges:

crypto isakmp keepalive 15 periodic


I have a few 877 routers where the ADSL connections are unstable. Each time the connection drops the VPN connection is either not reset or does not come up at all.


Will this line fix the problem or is there something else I need to add to it?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
bjornarsb Fri, 05/04/2007 - 01:39
User Badges:
  • Bronze, 100 points or more

Hi,


DPD allows the router to detect a dead IKE peer, and when the router detects the dead state, the router deletes the IPSec and IKE SAs to the peer.


With the IPSec Dead Peer Detection Periodic Message Option feature, you can configure your router so that DPD messages are "forced" at regular intervals. This forced approach results in earlier detection of dead peers. For example, if a router has no traffic to send, a DPD message is still sent at regular intervals, and if a peer is dead, the router does not have to wait until the IKE SA times out to find out.


If you want to configure the DPD periodic message option, you should use the crypto isakmp keepalive command with the periodic keyword. If you do not configure the periodic keyword, the router defaults to the on-demand approach.


Regards,

Bjornarsb


bradlesliect Fri, 05/04/2007 - 01:56
User Badges:

Thank you!


This is extremely useful information. One FAQ though...what is DPD?


Do you have a template of how to configure the keepalive setting? Where on the crypto config do i enter this command?

bradlesliect Fri, 05/04/2007 - 02:28
User Badges:

Thanks,


Does DPD not generate lots of traffic if set it to every 15secs? Can I set it to every 300secs instead?

royalblues Fri, 05/04/2007 - 02:35
User Badges:
  • Green, 3000 points or more

Brad,

It is just be a keepalive message and should not contribute to traffic.


You can configure it to 300secs. The value of 15 is useful when you have multiple peers and wanna fallback to the next configured peer.


HTH, rate if it does

Narayan

bjornarsb Fri, 05/04/2007 - 02:57
User Badges:
  • Bronze, 100 points or more

Hi again,


IKE Phase 1 Policy


crypto isakmp policy 1

encryption 3des

authentication pre-share

group 2

!

IKE Preshared Key


crypto isakmp key xxx address 10.x.x.209 255.255.255.0

crypto isakmp keepalive 10 periodic

crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac

crypto map test 1 ipsec-isakmp

set peer 10.2.80.209

set transform-set esp-3des-sha

match address 101

!

!

interface FastEthernet0

ip address 10.1.32.14 255.255.255.0

speed auto

crypto map test

!



The benefit of IOS keepalives and periodic DPD is earlier detection of dead peers.

I does not generate much traffic,

however IOS keepalives and periodic DPD rely on periodic messages that have to be sent with considerable frequency. The result of sending frequent messages is that the communicating peers must encrypt and decrypt more packets.


DPD also has an on-demand approach. The contrasting on-demand approach is the default. With on-demand DPD, messages are sent on the basis of traffic patterns. For example, if a router has to send outbound traffic and the liveliness of the peer is questionable, the router sends a DPD message to query the status of the peer. If a router has no traffic to send, it never sends a DPD message. If a peer is dead, and the router never has any traffic to send to the peer, the router will not find out until the IKE or IPSec security association (SA) has to be rekeyed (the liveliness of the peer is unimportant if the router is not trying to communicate with the peer). On the other hand, if the router has traffic to send to the peer, and the peer does not respond, the router will initiate a DPD message to determine the state of the peer.



Hope this was clarifying.


Regards,

Bjornarsb


bradlesliect Fri, 05/04/2007 - 03:07
User Badges:

this is my config but i see nothing when i turn the debug on. I am connected to the router via console and no messages in console window.


how do i know if this is working?


!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

crypto isakmp key adsldynvpn address XXX.XXX.XXX.XXX no-xauth

crypto isakmp key adsldynvpn address XXX.XXX.XXX.XXX no-xauth

crypto isakmp keepalive 15 periodic

!

!

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

!

royalblues Fri, 05/04/2007 - 03:12
User Badges:
  • Green, 3000 points or more

Is your crypto UP?


post the output of sh crypto iskamp sa

sh crypto ipsec sa


Narayan

bjornarsb Fri, 05/04/2007 - 03:22
User Badges:
  • Bronze, 100 points or more

Hi,


the debug crypto isakmp command verifies that IKE DPD is enabled.when periodic DPD is enabled, you should see debug messages at the interval specified by the command crypto isakmp keepalive 15 periodic.


I quess you have, but to be sure.

Do:

logging console,

and terminal monitor...and check logging buffered.


Regards,

Bjornarsb

Actions

This Discussion