Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
306
Views
0
Helpful
4
Replies

PIX Failover issue

u.naranjo
Level 1
Level 1

‎11-04-2004 02:26 PM - edited ‎02-20-2020 11:43 PM

Hi,

I configured failover between two 515E firewalls and I also have about 30 tunnels(IPSEC)configured.

When I tested the failover it works fine and when I force the main PIX to be the primary, it works fine as well but the only problem is that half of my tunnels do not come up(Can not ping etc to these remote sites) and if a do a show isakmp sa I see all the tunnels built on the pix and they look normal. The way I fix the other tunnels is to reinitialize them but I would not like to do that and wonder if somebody out there has experienced this and if there is a command or something to fix this.

Any hints would be appreciated,

Regards,

0 Helpful
4 Replies 4

kagodfrey
Level 3
Level 3

‎11-05-2004 04:28 AM

I think the issue is likely to be caused by some of your VPN endpoints not being able to detect the "loss" of the peers (as ipsec sessions do not fail over - even with a statefull failover configuration) so you need to employ Dead Peer Detection by configuring isakmp keepalive on your devices, then when you failover the isa sa's are negotiated anew

HTH

Kev

0 Helpful

u.naranjo
Level 1
Level 1
In response to kagodfrey

‎11-05-2004 08:35 AM

Kev,

Thank you for your reply. Can you be more specific about the keepalive command needed on the remotes? in the mean time I'll do some research on Cisco's web site.

Thanks again,

Uriel.

0 Helpful

kagodfrey
Level 3
Level 3
In response to u.naranjo

‎11-08-2004 08:56 AM

Sure. On a pix, the command would be:

isakmp keepalive seconds [retry_seconds]

The keepalive interval can be between 10 and 3600 seconds. The retry interval can be between 2 and 10 seconds, with the default being 2 seconds. The retry interval is the interval between retries after a keepalive response has not been received. You can specify the keepalive interval without specifying the retry interval, but cannot specify the retry interval without specifying the keepalive interval.

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727a9.html#wp1027312

Similarly, with IOS, the command is

crypto isakmp keepalive seconds [retry-seconds]

HTH

Kev

0 Helpful

u.naranjo
Level 1
Level 1
In response to kagodfrey

‎11-08-2004 12:59 PM

All right I'll try this.

Thanks very much.

Uriel.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card