12-02-2008 03:51 PM - edited 03-11-2019 07:20 AM
Hi,
we have simple NAT traversal configuration with an L2L tunnel lke this
5505(8.0) -> DSL Router (NAT) -> Internet -> 5510 (8.0)
The DSL Router gets a new IP every n hours.
Configuration is like this:
tunnel-group XXX type ipsec-l2l
tunnel-group XXX ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 11 retry 2
Now what happens is:
* Tunnel comes up
* DSL Model gets new IP address (this can also be triggered with simply power-cycling it)
* SA hasn't timed out yet
* Tunnel is _not_ torn down and recreated
If I debug crypto isakmp 200 everything, I can see DPD keeplives being sent from time to time, but not every 11 seconds as configured. This is because the keepalives are only sent "on-demand", when no traffic is flowing. Logically this should only apply, if there is no _incoming_ traffic on the tunnel - as is the case when we get a new IP - but in fact keepalives are also omitted when there is outoing traffic.
Because a few machines will always try to send packets over the tunnel, this situation almost never applies.
In IOS there is another version of the command where one can say "crypto isakmp 10 2 periodic", which forces the keepalives to be sent every n seconds. But not on the ASA.
Has anyone run into this as well or knows about an ASA version of the "periodic" parameter?
Thanks
-chris
P.S.: Reducing the SA lifetime to a minutes is not really an option as this kills Oracle connections...
03-10-2009 04:55 AM
Hi,
I have a problem with a similar configuration (with easyvpn though):
Have you found a solution to your problem? I am also currently running the "SA-lifetime-reduction" workaround.
03-10-2009 07:10 AM
nope. haven't.
it's a pity that noone from Cisco anwered here. I also can't file a bug, because I don't have a subscription...
03-10-2009 06:56 PM
I suggest you post this question under the Security/VPN section, I am sure you will get an answer there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide