cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
492
Views
0
Helpful
2
Replies

Dead Peer Detection does not work !!!

kirkster
Level 3
Level 3

Guys,

I have two 2811 VPN routers connected via several switches. Static crypto maps and isakmp keepalives at 10seconds.

Tunnel is up and working, encrypting traffc between loopbacks on the 2811s when I do extended pings.

Everything works fine. I do a show crypto isakmp sa detail and can see the security association and remaining lifetime.

I now kill a link betwen the switches, isolating the 2811's. I can no longer do my extended ping between the loopbacks between the 2811's, as would be expected. However, why isn't the DPD taking the SA down? When I do a show cryto isakmp sa detail again, there is no difference to the output when the VPN was up and running. I AM generating traffic so why isn't the SA being deleted? I have NTP running with teh source address as the loopbacks so there is always interesting traffic.

If I use periodic keepalives it works properly and the SA drops out. However, I am labbing this problem because with my customer a 6500 VPN SPA is the tunnel endpoint and this does not support periodic keepalives !!!

Thanks for your help.

Steve

2 Replies 2

didyap
Level 6
Level 6

This issue could be related to this cisco bug :CSCef81595

meverett
Level 1
Level 1

your message caught my interest. Worked on previous problem where this appeared to be the problem.. In my case, there was a fw in the middle that did not have all the right IPSec ports open.. However, during troubleshooting Cisco TAC sent over a doc in regards to invalid SPI recovery for IOS routers.. Essentially, a feature that can be enabled to more quickly detect a failed peer. You may want to look into this feature

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: