Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ISAKMP keepalive help

Hi,

How can I make my ISAKMP keepalive connection get monitored mor aggessively? Sometimes the tunnel will go down and not come back for a while unless I manually force it? It's a Cisco 1811 to a cisco ASA.

  • Other Security Subjects
5 REPLIES

Re: ISAKMP keepalive help

Take a look at "periodic DPD" which allows you to establish a retry interval, and is not dependent on waiting until there is traffic to be sent through the tunnel.

IOS e.g.: crypto isakmp keepalive 30 10 periodic

Peers would exchange messages every 30 seconds. If a message was not received when it was expected (30 sec. since the last received), it can query the far side. If three queries go unanswered, SAs will be cleared from the SADB.

New Member

Re: ISAKMP keepalive help

This sounds great do I just add it to my current cryptomap?

And on both sides of the tunnel?

Re: ISAKMP keepalive help

The "crypto isakmp keepalive 30 10 periodic" command is a standalone (not part of the cryptomap) IOS command. You should read the command reference before implementing any new commands.

Ideally, you'd find a comparable command for the ASA.

New Member

Re: ISAKMP keepalive help

The command on the ASA would be

isakmp keepalive [threshold seconds] [retry seconds] [disable]

see:

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/i3_72.html#wp1732140

If this is still of interest..

Regards,

Mat

New Member

Re: ISAKMP keepalive help

USE:

ip sla 1

icmp-echo XX.xxx.xxx.xxx source-interface FA0/0

timeout 2000

exit

ip sla schedule 1 life forever start-time now

track 1 rtr 1

delay down 10

exit

event manager applet app-sla-1

event track 1 state down

action 1.0 cli command "enable"

action 1.1 cli command "clear crypto isakmp"

set 2.0 _exit_status 1

exit

9632
Views
5
Helpful
5
Replies
This widget could not be displayed.