Dead peer detection not working !!! Help please...
I have two 2811 VPN routers connected via several switches. Static crypto maps and isakmp keepalives at 10seconds.
Tunnel is up and working, encrypting traffc between loopbacks on the 2811s when I do extended pings.
Everything works fine. I do a show crypto isakmp sa detail and can see the security association and remaining lifetime.
I now kill a link betwen the switches, isolating the 2811's. I can no longer do my extended ping between the loopbacks between the 2811's, as would be expected. However, why isn't the DPD taking the SA down? When I do a show cryto isakmp sa detail again, there is no difference to the output when the VPN was up and running. I AM generating traffic so why isn't the SA being deleted? I have NTP running with teh source address as the loopbacks so there is always interesting traffic.
If I use periodic keepalives it works properly and the SA drops out. However, I am labbing this problem because with my customer a 6500 VPN SPA is the tunnel endpoint and this does not support periodic keepalives !!!
Re: Dead peer detection not working !!! Help please...
Using periodic DPD potentially allows the router to detect an unresponsive IKE peer with better response time when compared to on-demand DPD. However, use of periodic DPD incurs extra overhead. When communicating to large numbers of IKE peers, you should consider using on-demand DPD instead.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...