Dead Peer Detection does not work !!!

kirkster · ‎08-31-2007

Guys,

I have two 2811 VPN routers connected via several switches. Static crypto maps and isakmp keepalives at 10seconds.

Tunnel is up and working, encrypting traffc between loopbacks on the 2811s when I do extended pings.

Everything works fine. I do a show crypto isakmp sa detail and can see the security association and remaining lifetime.

I now kill a link betwen the switches, isolating the 2811's. I can no longer do my extended ping between the loopbacks between the 2811's, as would be expected. However, why isn't the DPD taking the SA down? When I do a show cryto isakmp sa detail again, there is no difference to the output when the VPN was up and running. I AM generating traffic so why isn't the SA being deleted? I have NTP running with teh source address as the loopbacks so there is always interesting traffic.

If I use periodic keepalives it works properly and the SA drops out. However, I am labbing this problem because with my customer a 6500 VPN SPA is the tunnel endpoint and this does not support periodic keepalives !!!

Thanks for your help.

Steve

didyap · ‎09-06-2007

This issue could be related to this cisco bug :CSCef81595

meverett · ‎10-23-2007

your message caught my interest. Worked on previous problem where this appeared to be the problem.. In my case, there was a fw in the middle that did not have all the right IPSec ports open.. However, during troubleshooting Cisco TAC sent over a doc in regards to invalid SPI recovery for IOS routers.. Essentially, a feature that can be enabled to more quickly detect a failed peer. You may want to look into this feature