Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4723
Views
4
Helpful
2
Replies

IP-Sec Paranoid Keepalives

tsalt
Level 1
Level 1

‎11-01-2007 07:21 AM - edited ‎03-09-2019 07:11 PM

Please could somebody explain what "paranoid Keepalives" are?

Alos when we do a debug we see the following:-

"peer does not do paranoid keepalives"

Why do I see this output and the Ip-Sec connection still establishes?

Labels:
0 Helpful
2 Replies 2

tstanik
Level 5
Level 5

‎11-06-2007 01:42 PM

Paranoid keepalives are an enhancement of the original keepalives, that is negotiated at phase I. With the original keepalives, if a phase 1 SA is deleted because of no keepalive answer, it brings down with him _all_ phase 2 SAs with the same peer. This can lead to a situation with dangling SAs. With paranoid keepalives, the phase 2 SAs are bound to the phase 1 SA under which they were created, and when the phase 1 SA is deleted, only the associated phase 2 SAs will be deleted.

tsalt
Level 1
Level 1
In response to tstanik

‎11-06-2007 11:44 PM

Many thanks for the explanation.

So if the remote device of the IP-Sec session is not doing Paranoid Keepalives the Tunnel will still establish, but we could end up with hung Phase 2 SA's?

0 Helpful
Customers Also Viewed These Support Documents