We are implementing IPSEC in all branches.IP Sec we are using dynamic multipoint VPN in which all remote branches initiate IPsec and Isakmp negotiation whenever finacle intresting traffic hits the router and its sucessfully create Phase 1 and 2 session
For DPD we are using on demand polling i.e whenever traffic come, other side availaibilty is checked.
This creates problem when link goes down at remote end ,the core end check availaibilty and clear the session.but at remote end crypto interface goes down ,doesn't clear the session.When link come up session remains on remote end,but cleared at core end.Due to which branch is not able to work.We have to execute clear crypto session,isakamp at remote end to renegotiate the crypto session.To rectify the issue we are putting invalid spi-recovery command on both remote and core end.
But still issue's persisting,session remains on one end and cleared at other end.Secound issue is that branch not able to work whenever branch working on backup interface that does'nt have crypto map command.
To resolve these issues we are thinking to implement periodic polling at both core and remote end.
crypto isakmp keepalive 60 periodic
We have 7206vxr with SA-VAM2+ core and cisco1841 at remote end,around 2700 branches
Kindly advise us that
1)periodic polling is feasible for 2700 branches i.e not cpu intensive.
2)What will be the suitable approx frequency of polling
3)Can we start periodic polling on core and then move to remote branch by branch i.e it is unidirectional