I have two 2811 VPN routers connected via several switches. Static crypto maps and isakmp keepalives at 10seconds.
Tunnel is up and working, encrypting traffc between loopbacks on the 2811s when I do extended pings.
Everything works fine. I do a show crypto isakmp sa detail and can see the security association and remaining lifetime.
I now kill a link betwen the switches, isolating the 2811's. I can no longer do my extended ping between the loopbacks between the 2811's, as would be expected. However, why isn't the DPD taking the SA down? When I do a show cryto isakmp sa detail again, there is no difference to the output when the VPN was up and running. I AM generating traffic so why isn't the SA being deleted? I have NTP running with teh source address as the loopbacks so there is always interesting traffic.
If I use periodic keepalives it works properly and the SA drops out. However, I am labbing this problem because with my customer a 6500 VPN SPA is the tunnel endpoint and this does not support periodic keepalives !!!
your message caught my interest. Worked on previous problem where this appeared to be the problem.. In my case, there was a fw in the middle that did not have all the right IPSec ports open.. However, during troubleshooting Cisco TAC sent over a doc in regards to invalid SPI recovery for IOS routers.. Essentially, a feature that can be enabled to more quickly detect a failed peer. You may want to look into this feature
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...