02-01-2008 01:26 AM - edited 03-11-2019 04:57 AM
Hi All,
I have a site which has two peer endpoints and wants one of them to be redundant. I know it's possible to configure on the crypto map more than one peer.
Is there a configuration feature like dpd available on the pix/asa? The version running on the pix is 7.2.3.
TIA
Jack
Solved! Go to Solution.
02-01-2008 08:55 AM
See here under usage guidelines...
http://cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2066090
connection type needs to be originate-only as well, which means the far end must be answer-only.
I also don't think you need to create separate tunnel groups, but I could be wrong.
02-01-2008 06:49 AM
Dead peer detection is enabled by default with the following command...
tunnel-group
isakmp keepalive 10 2
http://cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1732140
02-01-2008 08:50 AM
Hi,
Thanks for your answer.
In essence my config should look someting like this:
crypto map match address 101
crypto map pix set peer peer one
crypto map pix set peer peer two
crypto map set transform-set myset
tunnel-group peer 1 type ipsec-l2l
tunnel-group peer 1 ipsec-attributes
isakmp keepalive 10 2
tunnel-group peer 2 type ipsec-l2l
tunnel-group peer 2 type ipsec-attributes
isakmp keepalive 10 2
Thanks.
Jack.
02-01-2008 08:55 AM
See here under usage guidelines...
http://cisco.com/en/US/docs/security/asa/asa72/command/reference/c5_72.html#wp2066090
connection type needs to be originate-only as well, which means the far end must be answer-only.
I also don't think you need to create separate tunnel groups, but I could be wrong.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: