Help Required Reg IPSec DPD (Dead Peer Detection)

Answered Question
May 13th, 2010
User Badges:

Dear All,


We are facing a strange problem in our network regrding IPSec. Below is the config


====================================================================


crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key <> address <>
crypto isakmp key <> address <>
crypto isakmp keepalive 120  <------------------------****
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set <> esp-3des esp-sha-hmac


=====================================================================


When we remove crypto map from serial interface still the session stays ACTIVE it does not time out or become IDLE.

How can we troubleshoot the same. even when the session is active still the required prefixes which we have selected for encryption cannot work we have to clear the session and re-establish the session how can we make it more stable.

For DPD periodic can we make it unidirectional???.


Regards,

Ranjit

Correct Answer by Jennifer Halim about 6 years 11 months ago

Great to hear. Please mark the question answered. Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jennifer Halim Fri, 05/14/2010 - 01:30
User Badges:
  • Cisco Employee,

The keepalive is currently set to 2 minutes. Try to lower the keepalive to 10 seconds and see if you are still seeing the tunnel drop issue.

What is the peer device? I would also advise you to configure the same if it's also a Cisco device.

ranjit123 Sun, 05/16/2010 - 21:54
User Badges:

Dear All,


Thanks for your reply we got the issue sorted out


As the crypto ipsec security-association lifetime seconds 86400 and as it was ON_DEMAND approach if the link goes down and no traffic from the remote peer the router will not find out the dead peer until the IKE or IPSec security association (SA) has to be rekeyed.


We have changed the crypto isakmp keepalive 30 to periodic so that the router will send "hello" messages every 30 seconds and if does not get a reply will changed the state to down.


Regards,

Ranjit

Correct Answer
Jennifer Halim Sun, 05/16/2010 - 23:36
User Badges:
  • Cisco Employee,

Great to hear. Please mark the question answered. Thanks.

Actions

This Discussion