ISAKMP keepalive help

Unanswered Question
Apr 24th, 2008
User Badges:

Hi,


How can I make my ISAKMP keepalive connection get monitored mor aggessively? Sometimes the tunnel will go down and not come back for a while unless I manually force it? It's a Cisco 1811 to a cisco ASA.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
michael.leblanc Thu, 04/24/2008 - 10:26
User Badges:
  • Silver, 250 points or more

Take a look at "periodic DPD" which allows you to establish a retry interval, and is not dependent on waiting until there is traffic to be sent through the tunnel.


IOS e.g.: crypto isakmp keepalive 30 10 periodic


Peers would exchange messages every 30 seconds. If a message was not received when it was expected (30 sec. since the last received), it can query the far side. If three queries go unanswered, SAs will be cleared from the SADB.


whiteford Thu, 04/24/2008 - 11:06
User Badges:

This sounds great do I just add it to my current cryptomap?


And on both sides of the tunnel?

michael.leblanc Thu, 04/24/2008 - 12:03
User Badges:
  • Silver, 250 points or more

The "crypto isakmp keepalive 30 10 periodic" command is a standalone (not part of the cryptomap) IOS command. You should read the command reference before implementing any new commands.


Ideally, you'd find a comparable command for the ASA.




renins.com Thu, 05/15/2008 - 01:57
User Badges:

USE:

ip sla 1

icmp-echo XX.xxx.xxx.xxx source-interface FA0/0

timeout 2000

exit

ip sla schedule 1 life forever start-time now


track 1 rtr 1

delay down 10

exit


event manager applet app-sla-1

event track 1 state down

action 1.0 cli command "enable"

action 1.1 cli command "clear crypto isakmp"

set 2.0 _exit_status 1

exit

Actions

This Discussion