With a PIX 6.x I have the following command entered
isakmp keepalive 15
With this, should I expect a remote host to be 'alive' based on this 15 second keepalive? It takes one ICMP timeout before the remote host answers, this is after some time of inactivity. The remote side is a Cisco IOS device - not sure of the version.
The ''isakmp keepalive 15'' command is going to allow the PIX to torn down the tunnel if not receiving an answer from the other peer.
Normally, the ISAKMP SAs will be torn down after the SA lifetime expires (but in some cases this causes problems because the tunnel goes down and the other side has no way to know it until the SA lifetime expires).
So, the ''isakmp keepalive 15'' will allow the PIX to monitor the health of the other VPN peer and detect that no response is received after 15 seconds of being idle and torn down the tunnel.
To Federico's point above, the isakmp keepalive command actually has two components. The first value indicates the interval at which the PIX will send a keepalive message to its peer. In your case this value is every 15 seconds. The second value is the retry interval which by default is 2 seconds but can be configured up to 10 seconds. During the phase 1 negotiation, the peers will identify to each other whether or not they support the keepalive mechanism. If they do, they will use the keepalive as a hello/ACK mechnaism in order to identify possible issues with the peers themselves or the transit path in between. After sending a series of unanswered hellos, the PIX will assume the peer is no longer available and time the SAs out of the SADB.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...