Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec/ISAKMP SA lifetime and broken connections

I run a hub and spoke VPN with a PIX at the hub and IOS routers running IPSec images at the spokes. Some of my sites have rather unreliable T1 circuits that tend to go out of service every once in a while for a minute or two.

My problem is that sometimes when the T1 circuits bounce the IPSec connections do not reconnect right away. Sometimes they take 20 or 30 minutes to reconnect. Since this is not acceptable I usually force the connections back up by clearing the SAs on the router or on the PIX or both.

Something tells me that there must be a better way. Will playing with the SA lifetime work? If the SA is still good when the circuit comes back why don't the peers reconnect quickly? What can I do to alleviate this problem?

Thanks,

Diego

1 REPLY
Bronze

Re: IPSec/ISAKMP SA lifetime and broken connections

Diego,

Try enabling isakmp keepalive on the VPN devices

This should take care of the problem

Jazib

109
Views
0
Helpful
1
Replies
CreatePlease to create content