I'm just wondering, is it possible to have keepalive setup over the phase2 of vpn tunnel? I'm having a PIX to PIX vpn tunnel between two sites, one of the office has to access internal web server which can only resolve by an internal DNS, and there is about 3 seconds of delay during negoitation of the tunnel.
IKE SAs are re-negotiated just before the IKE Phase I lifetime expires(or because of DPD/keepalives), but your IPSec SAs will always be created as you have some traffic going across the VPN tunnel, based on proxy IDs(matching crypto ACLs).
Let's start from the scratch, without a tunnel, when i ClientPC need to access the WebSever, they can only use the InternalDNS to resolve the name. On the ClientPC itself, it has two DNS setup, Primary is InternalDNS, and alternate is and ISPDNS.
Here is the problem, when the client trying to query the WebServer name, it initialize a IPSEC tunnel, but it take a really minimum time to negociate the tunnel. while the ClientPC thought there is no reply from the InternalDNS, and it jump to the ISPDNS, which of coz cannot resolve the WebServer name. A negative cache is create inside the ClientPC, what happen is the ClientPC has to wait for another 5 minutes for the negative cache to expire inorder to access the WebServer.
Afaq, i know this might sound a tiny problem, but i have around 20 more branch office out there, which will have the same problem. I have a maintanence contract with you guys on the Concentrator, should i open up a case?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :