ISAKMP keepalive help

Unanswered Question
Apr 24th, 2008

Hi,

How can I make my ISAKMP keepalive connection get monitored mor aggessively? Sometimes the tunnel will go down and not come back for a while unless I manually force it? It's a Cisco 1811 to a cisco ASA.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
michael.leblanc Thu, 04/24/2008 - 10:26

Take a look at "periodic DPD" which allows you to establish a retry interval, and is not dependent on waiting until there is traffic to be sent through the tunnel.

IOS e.g.: crypto isakmp keepalive 30 10 periodic

Peers would exchange messages every 30 seconds. If a message was not received when it was expected (30 sec. since the last received), it can query the far side. If three queries go unanswered, SAs will be cleared from the SADB.

whiteford Thu, 04/24/2008 - 11:06

This sounds great do I just add it to my current cryptomap?

And on both sides of the tunnel?

michael.leblanc Thu, 04/24/2008 - 12:03

The "crypto isakmp keepalive 30 10 periodic" command is a standalone (not part of the cryptomap) IOS command. You should read the command reference before implementing any new commands.

Ideally, you'd find a comparable command for the ASA.

renins.com Thu, 05/15/2008 - 01:57

USE:

ip sla 1

icmp-echo XX.xxx.xxx.xxx source-interface FA0/0

timeout 2000

exit

ip sla schedule 1 life forever start-time now

track 1 rtr 1

delay down 10

exit

event manager applet app-sla-1

event track 1 state down

action 1.0 cli command "enable"

action 1.1 cli command "clear crypto isakmp"

set 2.0 _exit_status 1

exit

Actions

This Discussion