Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IP-Sec Paranoid Keepalives

Please could somebody explain what "paranoid Keepalives" are?

Alos when we do a debug we see the following:-

"peer does not do paranoid keepalives"

Why do I see this output and the Ip-Sec connection still establishes?


Re: IP-Sec Paranoid Keepalives

Paranoid keepalives are an enhancement of the original keepalives, that is negotiated at phase I. With the original keepalives, if a phase 1 SA is deleted because of no keepalive answer, it brings down with him _all_ phase 2 SAs with the same peer. This can lead to a situation with dangling SAs. With paranoid keepalives, the phase 2 SAs are bound to the phase 1 SA under which they were created, and when the phase 1 SA is deleted, only the associated phase 2 SAs will be deleted.

New Member

Re: IP-Sec Paranoid Keepalives

Many thanks for the explanation.

So if the remote device of the IP-Sec session is not doing Paranoid Keepalives the Tunnel will still establish, but we could end up with hung Phase 2 SA's?