Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Difference between isakmp keepalive and invalid-spi-recovery


Could someone give me the difference between isakmp keepalive and isakmp invalid-spi-recovery.

In which case keepalive must be used and in which case invalid-spi-recovery must be used ?

Which one is the best to maintain accurate ipsec vpn ?

May I use both of them or just one ?

Thanks !

  • VPN

Re: Difference between isakmp keepalive and invalid-spi-recovery

keepalive is used for detection; while invalid spi recovery is one of the ways to fix up a vpn black hole.

with keepalive enabled, the router/pix will be able to determine whether the vpn peer is still alive or not. in case the peer doesn't respond for a certain period of time, then the router/pix will decide to remove the vpn being created.

in case there was some sort of interruption of the internet link, the vpn peer will still consider that the "old" vpn is up; whereas the local device would have no vpn as keepalive suggested. what would happen next is that the peer will keep sending traffic via the "old" vpn; while the local device will try to initiate a "new" vpn. this is when the feature invalid spi recovery get involved.

with invalid spi recovery, the router/pix will be able to notify the peer in order to trash the old vpn , and create a new vpn at the same time.

i guess they work together, not overlapping each other.

This widget could not be displayed.