Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Help Required Reg IPSec DPD (Dead Peer Detection)

Dear All,

We are facing a strange problem in our network regrding IPSec. Below is the config

====================================================================

crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key <> address <>
crypto isakmp key <> address <>
crypto isakmp keepalive 120  <------------------------****
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set <> esp-3des esp-sha-hmac

=====================================================================

When we remove crypto map from serial interface still the session stays ACTIVE it does not time out or become IDLE.

How can we troubleshoot the same. even when the session is active still the required prefixes which we have selected for encryption cannot work we have to clear the session and re-establish the session how can we make it more stable.

For DPD periodic can we make it unidirectional???.

Regards,

Ranjit

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: Help Required Reg IPSec DPD (Dead Peer Detection)

Great to hear. Please mark the question answered. Thanks.

3 REPLIES
Super Bronze

Re: Help Required Reg IPSec DPD (Dead Peer Detection)

The keepalive is currently set to 2 minutes. Try to lower the keepalive to 10 seconds and see if you are still seeing the tunnel drop issue.

What is the peer device? I would also advise you to configure the same if it's also a Cisco device.

New Member

Re: Help Required Reg IPSec DPD (Dead Peer Detection)

Dear All,

Thanks for your reply we got the issue sorted out

As the crypto ipsec security-association lifetime seconds 86400 and as it was ON_DEMAND approach if the link goes down and no traffic from the remote peer the router will not find out the dead peer until the IKE or IPSec security association (SA) has to be rekeyed.

We have changed the crypto isakmp keepalive 30 to periodic so that the router will send "hello" messages every 30 seconds and if does not get a reply will changed the state to down.

Regards,

Ranjit

Super Bronze

Re: Help Required Reg IPSec DPD (Dead Peer Detection)

Great to hear. Please mark the question answered. Thanks.

371
Views
0
Helpful
3
Replies