06-03-2003 06:17 AM - edited 03-09-2019 03:31 AM
I am looking for info on how exactly this command works and how to use it. For example: Is it needed on both end devices of an IPSec tunnel or just one? Do the parameters on either end need to match? Are there any general guidelines or "rules-of-thumb" for setting the paramters?
TIA,
Diego
06-03-2003 10:45 PM
Hi Diego,
If you are configuring ISAKMP keepalives, then you should do it on both ends. Furthermore, the keepalive duration has to match on both. Remember that keepalive is a bidirectional message using a HELLO/ACK scheme. Receipt of either a HELLO or ACK causes an entity's keepalive timer to reset. If none of them is received after a certain period of time, it assumes that the other is dead. There is considerable overhead for this implementation.
If you are really interested in faster failover in case a peer is dead, then you should go for DPD (Dead peer detection). The main feature of DPD is that "a peer is free to request proof of liveliness when it needs it -- not at mandated intervals as regular keepalives do."
To configure DPD, give the command "crypto isakmp keepalive
Note that DPD is bidirectional and will be sent by the party who wants to know if its peer is dead or alive.
I hope it is clear to you now. Let us know if you still have any issues.
Catch you soon,
Naveen
06-04-2003 07:31 AM
So what you are saying is that I use the same basic command which is "crypto isakmp keepalive". However, by adding the
Is this correct?
Thanks,
Diego
06-04-2003 08:00 PM
Exactly. For DPD to work, you should have a version more that 12.2(8)T. I am not very sure how the same command works for both. But I believe the developers have changed the code in 12.2(8)T and above so that the underlying keepalive concept remains transparent. With regular keepalives, the interested party had to wait for some 'n' number of tries before assuming the peer is dead but DPD accelerates this process by having user-configurable retries.
What you can do practically is issue "debug crypto isa" on the router and see the logg messages generated using "show logg". You'll DPD/R_U_THERE and DPD/R_U_THERE_ACK messages in the logs. This should convince you that DPD is working properly. I have seen this during keepalive configuration in my lab.
This DPD is largely implementation specific. The DPD timer
I verified the command and found this link. It contains a host of crypto commands.
Feel free to let me know if my understanding is wrong.
Naveen
06-05-2003 06:42 AM
That looks like a great article.
Thanks,
Diego
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide