Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

Disabling isakmp keepalives

Is this called command line inconsistancy or documentation error. I am trying to disable isakmp keepalive by refering to following document.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_groups.html#wp1049862

Look at the step # 6 how they tell reader to disable keepalive.

"

IKE keepalives are enabled by default. To disable IKE keepalives, enter the no form of the isakmp command: "

ASA1# sh run all tunnel-group <PEER-IP>

tunnel-group <PEER-IP> type ipsec-l2l

tunnel-group <PEER-IP> general-attributes

no accounting-server-group

default-group-policy ipsec-SDM

tunnel-group <PEER-IP> ipsec-attributes

ikev1 pre-shared-key *****

peer-id-validate req

no chain

no ikev1 trust-point

isakmp keepalive threshold 10 retry 2

no ikev2 remote-authentication

no ikev2 local-authentication

ASA1# config t

ASA1(config)# tunnel-group <PEER-IP> ipsec-attributes

ASA1(config-tunnel-ipsec)# no isakmp keepalive threshold 10 retry 2

ASA1(config-tunnel-ipsec)# end

ASA1# sh run all tunnel-group <PEER-IP>

tunnel-group <PEER-IP> type ipsec-l2l

tunnel-group <PEER-IP> general-attributes

no accounting-server-group

default-group-policy ipsec-SDM

tunnel-group <PEER-IP> ipsec-attributes

ikev1 pre-shared-key *****

peer-id-validate req

no chain

no ikev1 trust-point

isakmp keepalive threshold 10 retry 2

no ikev2 remote-authentication

no ikev2 local-authentication

ASA1# config t

ASA1(config)#  tunnel-group <PEER-IP> ipsec-attributes

ASA1(config-tunnel-ipsec)# no isa

ASA1(config-tunnel-ipsec)# no isakmp kee

ASA1(config-tunnel-ipsec)# no isakmp keepalive ?

tunnel-group-ipsec mode commands/options:

  disable    Disable IKE keepalives

  retry      Enter the interval between retries after a keepalive response has

             not been received.

  threshold  Enter the number of seconds that the peer is allowed to idle

             before beginning keepalive monitoring

  <cr>

ASA1(config-tunnel-ipsec)# no isakmp keepalive

ASA1(config-tunnel-ipsec)# end

ASA1# sh run all tunnel-group <PEER-IP>

tunnel-group <PEER-IP> type ipsec-l2l

tunnel-group <PEER-IP> general-attributes

no accounting-server-group

default-group-policy ipsec-SDM

tunnel-group <PEER-IP> ipsec-attributes

ikev1 pre-shared-key *****

peer-id-validate req

no chain

no ikev1 trust-point

isakmp keepalive threshold 10 retry 2

no ikev2 remote-authentication

no ikev2 local-authentication

ASA1# sh run tunn

ASA1# sh run tunnel-group <PEER-IP>

tunnel-group <PEER-IP> type ipsec-l2l

tunnel-group <PEER-IP> general-attributes

default-group-policy ipsec-SDM

tunnel-group <PEER-IP> ipsec-attributes

ikev1 pre-shared-key *****

ASA1# config t

ASA1(config)# tunnel-group <PEER-IP> ipsec-attributes

ASA1(config-tunnel-ipsec)# no isa

ASA1(config-tunnel-ipsec)# no isakmp kee

ASA1(config-tunnel-ipsec)# no isakmp keepalive ?

tunnel-group-ipsec mode commands/options:

  disable    Disable IKE keepalives

  retry      Enter the interval between retries after a keepalive response has

             not been received.

  threshold  Enter the number of seconds that the peer is allowed to idle

             before beginning keepalive monitoring

  <cr>

ASA1(config-tunnel-ipsec)# isa

ASA1(config-tunnel-ipsec)# isakmp kee

ASA1(config-tunnel-ipsec)# isakmp keepalive dis

ASA1(config-tunnel-ipsec)# isakmp keepalive disable

ASA1(config-tunnel-ipsec)# end

ASA1# sh run tunn

ASA1# sh run tunnel-group <PEER-IP>

tunnel-group <PEER-IP> type ipsec-l2l

tunnel-group <PEER-IP> general-attributes

default-group-policy ipsec-SDM

tunnel-group <PEER-IP> ipsec-attributes

ikev1 pre-shared-key *****

isakmp keepalive disable

ASA1#

Everyone's tags (3)
2 REPLIES
Hall of Fame Super Silver

Re: Disabling isakmp keepalives

I do not think it is command line inconsistency. It is clearly documentation error. It should be reported to the Cisco team in charge of that documentation so that they can fix it.

HTH

Rick

Sent from Cisco Technical Support iPad App

New Member

Re: Disabling isakmp keepalives

It is a documentation error. Reported to TAC. You may find the details in the above link after 48 hours.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCub76978

2619
Views
0
Helpful
2
Replies
CreatePlease login to create content