https://community.cisco.com/t5/network-security/pix-failover-issue/m-p/342156#M555341 <HTML><HEAD></HEAD><BODY><P>Sure. On a pix, the command would be:</P><P>isakmp keepalive seconds [retry_seconds]</P><P>The keepalive interval can be between 10 and 3600 seconds. The retry interval can be between 2 and 10 seconds, with the default being 2 seconds. The retry interval is the interval between retries after a keepalive response has not been received. You can specify the keepalive interval without specifying the retry interval, but cannot specify the retry interval without specifying the keepalive interval. </P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312</A></P><P>Similarly, with IOS, the command is</P><P>crypto isakmp keepalive seconds [retry-seconds]</P><P></P><P>HTH</P><P></P><P>Kev</P></BODY></HTML> Mon, 08 Nov 2004 16:56:00 GMT kagodfrey 2004-11-08T16:56:00Z https://community.cisco.com/t5/network-security/pix-failover-issue/m-p/342153#M555329 <P>Hi,</P><P></P><P>I configured failover between two 515E firewalls and I also have about 30 tunnels(IPSEC)configured.</P><P>When I tested the failover it works fine and when I force the main PIX to be the primary, it works fine as well but the only problem is that half of my tunnels do not come up(Can not ping etc to these remote sites) and if a do a show isakmp sa I see all the tunnels built on the pix and they look normal. The way I fix the other tunnels is to reinitialize them but I would not like to do that and wonder if somebody out there has experienced this and if there is a command or something to fix this.</P><P></P><P>Any hints would be appreciated,</P><P></P><P>Regards,</P><P></P> Fri, 21 Feb 2020 07:43:45 GMT https://community.cisco.com/t5/network-security/pix-failover-issue/m-p/342153#M555329 u.naranjo 2020-02-21T07:43:45Z https://community.cisco.com/t5/network-security/pix-failover-issue/m-p/342154#M555333 <HTML><HEAD></HEAD><BODY><P>I think the issue is likely to be caused by some of your VPN endpoints not being able to detect the "loss" of the peers (as ipsec sessions do not fail over - even with a statefull failover configuration) so you need to employ Dead Peer Detection by configuring isakmp keepalive on your devices, then when you failover the isa sa's are negotiated anew</P><P></P><P>HTH</P><P></P><P>Kev</P></BODY></HTML> Fri, 05 Nov 2004 12:28:24 GMT https://community.cisco.com/t5/network-security/pix-failover-issue/m-p/342154#M555333 kagodfrey 2004-11-05T12:28:24Z https://community.cisco.com/t5/network-security/pix-failover-issue/m-p/342155#M555338 <HTML><HEAD></HEAD><BODY><P>Kev,</P><P></P><P>Thank you for your reply. Can you be more specific about the keepalive command needed on the remotes? in the mean time I'll do some research on Cisco's web site.</P><P></P><P>Thanks again,</P><P></P><P>Uriel.</P></BODY></HTML> Fri, 05 Nov 2004 16:35:49 GMT https://community.cisco.com/t5/network-security/pix-failover-issue/m-p/342155#M555338 u.naranjo 2004-11-05T16:35:49Z https://community.cisco.com/t5/network-security/pix-failover-issue/m-p/342156#M555341 <HTML><HEAD></HEAD><BODY><P>Sure. On a pix, the command would be:</P><P>isakmp keepalive seconds [retry_seconds]</P><P>The keepalive interval can be between 10 and 3600 seconds. The retry interval can be between 2 and 10 seconds, with the default being 2 seconds. The retry interval is the interval between retries after a keepalive response has not been received. You can specify the keepalive interval without specifying the retry interval, but cannot specify the retry interval without specifying the keepalive interval. </P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312</A></P><P>Similarly, with IOS, the command is</P><P>crypto isakmp keepalive seconds [retry-seconds]</P><P></P><P>HTH</P><P></P><P>Kev</P></BODY></HTML> Mon, 08 Nov 2004 16:56:00 GMT https://community.cisco.com/t5/network-security/pix-failover-issue/m-p/342156#M555341 kagodfrey 2004-11-08T16:56:00Z https://community.cisco.com/t5/network-security/pix-failover-issue/m-p/342157#M555343 <HTML><HEAD></HEAD><BODY><P>All right I'll try this.</P><P></P><P>Thanks very much.</P><P></P><P></P><P>Uriel.</P></BODY></HTML> Mon, 08 Nov 2004 20:59:13 GMT https://community.cisco.com/t5/network-security/pix-failover-issue/m-p/342157#M555343 u.naranjo 2004-11-08T20:59:13Z