08-31-2007 01:43 AM
Guys,
I have two 2811 VPN routers connected via several switches. Static crypto maps and isakmp keepalives at 10seconds.
Tunnel is up and working, encrypting traffc between loopbacks on the 2811s when I do extended pings.
Everything works fine. I do a show crypto isakmp sa detail and can see the security association and remaining lifetime.
I now kill a link betwen the switches, isolating the 2811's. I can no longer do my extended ping between the loopbacks between the 2811's, as would be expected. However, why isn't the DPD taking the SA down? When I do a show cryto isakmp sa detail again, there is no difference to the output when the VPN was up and running. I AM generating traffic so why isn't the SA being deleted? I have NTP running with teh source address as the loopbacks so there is always interesting traffic.
If I use periodic keepalives it works properly and the SA drops out. However, I am labbing this problem because with my customer a 6500 VPN SPA is the tunnel endpoint and this does not support periodic keepalives !!!
Thanks for your help.
Steve
09-06-2007 06:37 AM
This issue could be related to this cisco bug :CSCef81595
10-23-2007 10:25 AM
your message caught my interest. Worked on previous problem where this appeared to be the problem.. In my case, there was a fw in the middle that did not have all the right IPSec ports open.. However, during troubleshooting Cisco TAC sent over a doc in regards to invalid SPI recovery for IOS routers.. Essentially, a feature that can be enabled to more quickly detect a failed peer. You may want to look into this feature
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide