Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Keepalive on Phase2 IPSEC

Hi everyone,

I'm just wondering, is it possible to have keepalive setup over the phase2 of vpn tunnel? I'm having a PIX to PIX vpn tunnel between two sites, one of the office has to access internal web server which can only resolve by an internal DNS, and there is about 3 seconds of delay during negoitation of the tunnel.

any suggestion would be appreciate.



Re: Keepalive on Phase2 IPSEC


Keepalives would not help here.

IKE SAs are re-negotiated just before the IKE Phase I lifetime expires(or because of DPD/keepalives), but your IPSec SAs will always be created as you have some traffic going across the VPN tunnel, based on proxy IDs(matching crypto ACLs).

why does it take 3 secs?



New Member

Re: Keepalive on Phase2 IPSEC

Hi Afaq,

Thanks for your reply, let me explain the issue a little bit more details, then you will understand what my problem is.

Internal DNS---WebServer---VPN3015-------INTERNET-------PIX501----ClientPC

Let's start from the scratch, without a tunnel, when i ClientPC need to access the WebSever, they can only use the InternalDNS to resolve the name. On the ClientPC itself, it has two DNS setup, Primary is InternalDNS, and alternate is and ISPDNS.

Here is the problem, when the client trying to query the WebServer name, it initialize a IPSEC tunnel, but it take a really minimum time to negociate the tunnel. while the ClientPC thought there is no reply from the InternalDNS, and it jump to the ISPDNS, which of coz cannot resolve the WebServer name. A negative cache is create inside the ClientPC, what happen is the ClientPC has to wait for another 5 minutes for the negative cache to expire inorder to access the WebServer.

Afaq, i know this might sound a tiny problem, but i have around 20 more branch office out there, which will have the same problem. I have a maintanence contract with you guys on the Concentrator, should i open up a case?

look forward for your reply


CreatePlease to create content