Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Dead Peer Detection does not work !!!


I have two 2811 VPN routers connected via several switches. Static crypto maps and isakmp keepalives at 10seconds.

Tunnel is up and working, encrypting traffc between loopbacks on the 2811s when I do extended pings.

Everything works fine. I do a show crypto isakmp sa detail and can see the security association and remaining lifetime.

I now kill a link betwen the switches, isolating the 2811's. I can no longer do my extended ping between the loopbacks between the 2811's, as would be expected. However, why isn't the DPD taking the SA down? When I do a show cryto isakmp sa detail again, there is no difference to the output when the VPN was up and running. I AM generating traffic so why isn't the SA being deleted? I have NTP running with teh source address as the loopbacks so there is always interesting traffic.

If I use periodic keepalives it works properly and the SA drops out. However, I am labbing this problem because with my customer a 6500 VPN SPA is the tunnel endpoint and this does not support periodic keepalives !!!

Thanks for your help.



Re: Dead Peer Detection does not work !!!

This issue could be related to this cisco bug :CSCef81595

Community Member

Re: Dead Peer Detection does not work !!!

your message caught my interest. Worked on previous problem where this appeared to be the problem.. In my case, there was a fw in the middle that did not have all the right IPSec ports open.. However, during troubleshooting Cisco TAC sent over a doc in regards to invalid SPI recovery for IOS routers.. Essentially, a feature that can be enabled to more quickly detect a failed peer. You may want to look into this feature

CreatePlease to create content