Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
18881
Views
5
Helpful
5
Replies

ISAKMP keepalive help

whiteford
Level 1
Level 1

‎04-24-2008 04:26 AM - edited ‎03-09-2019 08:35 PM

Hi,

How can I make my ISAKMP keepalive connection get monitored mor aggessively? Sometimes the tunnel will go down and not come back for a while unless I manually force it? It's a Cisco 1811 to a cisco ASA.

1 person had this problem
Labels:
0 Helpful
5 Replies 5

michael.leblanc
Level 4
Level 4

‎04-24-2008 10:26 AM

Take a look at "periodic DPD" which allows you to establish a retry interval, and is not dependent on waiting until there is traffic to be sent through the tunnel.

IOS e.g.: crypto isakmp keepalive 30 10 periodic

Peers would exchange messages every 30 seconds. If a message was not received when it was expected (30 sec. since the last received), it can query the far side. If three queries go unanswered, SAs will be cleared from the SADB.

0 Helpful

whiteford
Level 1
Level 1
In response to michael.leblanc

‎04-24-2008 11:06 AM

This sounds great do I just add it to my current cryptomap?

And on both sides of the tunnel?

0 Helpful

michael.leblanc
Level 4
Level 4
In response to whiteford

‎04-24-2008 12:03 PM

The "crypto isakmp keepalive 30 10 periodic" command is a standalone (not part of the cryptomap) IOS command. You should read the command reference before implementing any new commands.

Ideally, you'd find a comparable command for the ASA.

0 Helpful

MATTHIAS SCHAERER
Level 3
Level 3
In response to michael.leblanc

‎05-13-2008 12:55 AM

The command on the ASA would be

isakmp keepalive [threshold seconds] [retry seconds] [disable]

see:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1732140

If this is still of interest..

Regards,

Mat

0 Helpful

renins.com
Level 1
Level 1

‎05-15-2008 01:57 AM

USE:

ip sla 1

icmp-echo XX.xxx.xxx.xxx source-interface FA0/0

timeout 2000

exit

ip sla schedule 1 life forever start-time now

track 1 rtr 1

delay down 10

exit

event manager applet app-sla-1

event track 1 state down

action 1.0 cli command "enable"

action 1.1 cli command "clear crypto isakmp"

set 2.0 _exit_status 1

exit

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents