04-24-2008 04:26 AM - edited 03-09-2019 08:35 PM
Hi,
How can I make my ISAKMP keepalive connection get monitored mor aggessively? Sometimes the tunnel will go down and not come back for a while unless I manually force it? It's a Cisco 1811 to a cisco ASA.
04-24-2008 10:26 AM
Take a look at "periodic DPD" which allows you to establish a retry interval, and is not dependent on waiting until there is traffic to be sent through the tunnel.
IOS e.g.: crypto isakmp keepalive 30 10 periodic
Peers would exchange messages every 30 seconds. If a message was not received when it was expected (30 sec. since the last received), it can query the far side. If three queries go unanswered, SAs will be cleared from the SADB.
04-24-2008 11:06 AM
This sounds great do I just add it to my current cryptomap?
And on both sides of the tunnel?
04-24-2008 12:03 PM
The "crypto isakmp keepalive 30 10 periodic" command is a standalone (not part of the cryptomap) IOS command. You should read the command reference before implementing any new commands.
Ideally, you'd find a comparable command for the ASA.
05-13-2008 12:55 AM
The command on the ASA would be
isakmp keepalive [threshold seconds] [retry seconds] [disable]
see:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1732140
If this is still of interest..
Regards,
Mat
05-15-2008 01:57 AM
USE:
ip sla 1
icmp-echo XX.xxx.xxx.xxx source-interface FA0/0
timeout 2000
exit
ip sla schedule 1 life forever start-time now
track 1 rtr 1
delay down 10
exit
event manager applet app-sla-1
event track 1 state down
action 1.0 cli command "enable"
action 1.1 cli command "clear crypto isakmp"
set 2.0 _exit_status 1
exit
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide