Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dead peer detection not working !!! Help please...

Guys,

I have two 2811 VPN routers connected via several switches. Static crypto maps and isakmp keepalives at 10seconds.

Tunnel is up and working, encrypting traffc between loopbacks on the 2811s when I do extended pings.

Everything works fine. I do a show crypto isakmp sa detail and can see the security association and remaining lifetime.

I now kill a link betwen the switches, isolating the 2811's. I can no longer do my extended ping between the loopbacks between the 2811's, as would be expected. However, why isn't the DPD taking the SA down? When I do a show cryto isakmp sa detail again, there is no difference to the output when the VPN was up and running. I AM generating traffic so why isn't the SA being deleted? I have NTP running with teh source address as the loopbacks so there is always interesting traffic.

If I use periodic keepalives it works properly and the SA drops out. However, I am labbing this problem because with my customer a 6500 VPN SPA is the tunnel endpoint and this does not support periodic keepalives !!!

Thanks for your help.

Steve

1 REPLY
Silver

Re: Dead peer detection not working !!! Help please...

Using periodic DPD potentially allows the router to detect an unresponsive IKE peer with better response time when compared to on-demand DPD. However, use of periodic DPD incurs extra overhead. When communicating to large numbers of IKE peers, you should consider using on-demand DPD instead.

148
Views
0
Helpful
1
Replies