Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC + BRI backup line

We have a issue with our ISDN backup line using IPSEC on a router 7200 (IOS 12.3.(6))

When a ISND link goes up for few minutes after one hour the same link goes up again for any reason.

We suspect that it is related to IPSEC lifetime by default (3600 secondes) as we disabled the crypto map on the ISDN interface and after a test the link went up only once as it should be.

Any advices or same experiences ...

3 REPLIES
Silver

Re: IPSEC + BRI backup line

I think you are correct in tracing the BRI activation to the IPSec, once the link comes up it will establish an SA, and try to re-key after the lifetime interval expires.

Can you set your ISDN link as a backup using the interface backup keyword, simple but may be a bit limiting for your application?

As an alternate how about setting IPSec as non-interesting traffic and using either dialer watch or object tracking to activate the ISDN.

Dialer watch would activate on loss of a watched route, or you can use object tracking to ping a remote device, then if the ping fails activate a static route that points over the ISDN. This would activate the ISDN which in turn allows IPSec to establish.

The best way depends on your application, either way you have to define IPSec as non-interesting traffic and find some other way to activate the ISDN under failure conditions.

Andy

New Member

Re: IPSEC + BRI backup line

Thanks Andy for our answer.

In meantime I found the following command for the crypto map ipsec-isakmp:

set security-association idletime.

I put this setting on one crypto map with 660 secondes idletime and now the link doesn't come up twice if there is not interesting traffic.

Any advices ?

Cheers

Silver

Re: IPSEC + BRI backup line

I dont recall seeing that command before, even though I'm studying hard for my CCIE security lab!

So I had a look on Cisco.com and found this document in which this command is used to fix the problem you describe.

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_feature_guide09186a00803f86ca.html#wp1027188

Did you already use the default and preferred peer statements? This technology would fix one of the questions in one of my study labs, and may be useful in a new network I've been asked to assist with.

248
Views
0
Helpful
3
Replies
CreatePlease to create content