ISAKMP VPN Keepalive

Unanswered Question
Jun 8th, 2010

With a PIX 6.x I have the following command entered

isakmp keepalive 15

With this, should I expect a remote host to be 'alive' based on this 15 second keepalive?  It takes one ICMP timeout before the remote host answers, this is after some time of inactivity.  The remote side is a Cisco IOS device - not sure of the version.

Thanks,

Dan

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Tue, 06/08/2010 - 13:15

Dan,

The ''isakmp keepalive 15'' command is going to allow the PIX to torn down the tunnel if not receiving an answer from the other peer.

Normally, the ISAKMP SAs will be torn down after the SA lifetime expires (but in some cases this causes problems because the tunnel goes down and the other side has no way to know it until the SA lifetime expires).

So, the ''isakmp keepalive 15'' will allow the PIX to monitor the health of the other VPN peer and detect that no response is received after 15 seconds of being idle and torn down the tunnel.

Federico.

pdvcisco Tue, 06/08/2010 - 13:44

It sounds like I have a misunderstanding of what ISAKMP Keepalives are be used for. Keepalives actually detect traffic and shutdown the tunnel not keep it open so no re-negotiation has to happen.

So it doesn't keep the tunnel "alive" but actually lets it know when it is ok to timeout the SA.

What should my expectations be for acessing a remote host through the VPN with no timeouts from the first PING request?

Is the keepalive actually closing the tunnel prematurely?

Thanks,

Dan

Federico Coto F... Tue, 06/08/2010 - 13:48

The keepalives indeed are to monitor the other peer's health.

The ISAKMP keepalives won't keep the tunnel alive.

There has to be interesting traffic through the tunnel, for the tunnel to continue up.

Regarding your question...

You're connecting remotely via VPN and when you PING an inside host the're ''no timeouts from the first PING request''?

That means all PING packets are succesful? Please explain the last part.

Federico.

pdvcisco Tue, 06/08/2010 - 13:56

Frederico,

Thanks for clarifying the use of keepalives.

We typically see the FIRST PING to the remote host result in a timeout if there has been no traffic in some period of time.

security-association lifetime seconds 86400 kilobytes 4608000

Should I expect the connection to the remote host be responsive (read = no renegotiation of the tunnel) if I have sent traffic within 86400 seconds?

Thanks,

Dan

Federico Coto F... Tue, 06/08/2010 - 14:02

Yes,

The tunnel should stay up for 86400 seconds if idle.

If there are ISAKMP keepalives, then the tunnel will be torn down much more quickly (because it won't have to wait until the lifetime expires).

Also, assuming there has been no other event that brought down the tunnel on either side.

Federico.

Todd Pula Tue, 06/08/2010 - 13:54

To Federico's point above, the isakmp keepalive command actually has two components.  The first value indicates the interval at which the PIX will send a keepalive message to its peer.  In your case this value is every 15 seconds.  The second value is the retry interval which by default is 2 seconds but can be configured up to 10 seconds.  During the phase 1 negotiation, the peers will identify to each other whether or not they support the keepalive mechanism.  If they do, they will use the keepalive as a hello/ACK mechnaism in order to identify possible issues with the peers themselves or the transit path in between.  After sending a series of unanswered hellos, the PIX will assume the peer is no longer available and time the SAs out of the SADB.

isakmp keepalive seconds [retry_seconds]


Actions

This Discussion