For a special reason (I won't detail it now) I have to use the transport mode of IPSec on a PIX515E. The transport mode on PIX can be used only with dynamyc crypto maps but not with static ones. It means that the PIX side of the IPSec connection cannot initialize the IPSec session. It is not a problem, I initialize it from the other side but I cannot guarantee that the session will be kept alive by the other side because of the traffic caracteristics.
How can I manage to keep alive the manually already initialized session for EVER? The session limits have maximum values, the IKE keepalive also does not guarantee 100% the continuous connection :
"When the IKE SA expires, it does not renegotiate MM until a new IPSec SA is required. This means that during this non-IKE-SA period, IKE keepalive is not available to provide a resilience mechanism. In other words, if a new IPSec SA is negotiated [QM] just before the IKE SA expires and the headend router goes down just after it expires, then the far end will send traffic into a black hole for the length of the IPSec SA lifetime (one hour by default) since IKE will not be needed until a new QM is required. This has been identified as a bug and should be addressed in a future release of IOS."
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :