IP-Sec Paranoid Keepalives

Unanswered Question
Nov 1st, 2007
User Badges:

Please could somebody explain what "paranoid Keepalives" are?

Alos when we do a debug we see the following:-

"peer does not do paranoid keepalives"

Why do I see this output and the Ip-Sec connection still establishes?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
tstanik Tue, 11/06/2007 - 13:42
User Badges:
  • Bronze, 100 points or more

Paranoid keepalives are an enhancement of the original keepalives, that is negotiated at phase I. With the original keepalives, if a phase 1 SA is deleted because of no keepalive answer, it brings down with him _all_ phase 2 SAs with the same peer. This can lead to a situation with dangling SAs. With paranoid keepalives, the phase 2 SAs are bound to the phase 1 SA under which they were created, and when the phase 1 SA is deleted, only the associated phase 2 SAs will be deleted.

tsalt Tue, 11/06/2007 - 23:44
User Badges:

Many thanks for the explanation.

So if the remote device of the IP-Sec session is not doing Paranoid Keepalives the Tunnel will still establish, but we could end up with hung Phase 2 SA's?


This Discussion