I have a IOS firewall router connecting over ISDN (DDR) to a PIX. Topology as follows:
CISCO IOS 1712----isdn----800-PIX
The problem is that the peers try to communicate when not needed, causing the DDR to open up the ISDN link.
ISAKMP lifetime is 300 seconds
IPSec lifetime is 300 seconds.
I do not want to compromise these just yet. An access list would do, but exactly what? I have tried just allowing data between the secured hosts, but this did not work. It seems that the DDR only comes up when the peers communicate (both the firewalls), but it is exactly this communication that is causing the unnecessary costly call
When there is no traffic to be sent across and the SA expires, no re-negotiation takes place. Re-negotiation of a new SA happens only if traffic is being sent across and this is true if you have a large enough lifetime (say 15 to 20 minutes). With a lifetime of a 2 to 3 minutes, renegotiation will take place. Try a slightly larger lifetime and it might work. Either way, 300 secs is too short a lifetime, and must be stressing out system resources.
ISE 2.2 Patch 10 has been released at ISE 2.2.0 Software Download since 2018-Sep-18, with the filename ise-patchbundle-18.104.22.1680-Patch10-18091119.SPA.x86_64.tar.gz.
For more info, please read Resolved Issues in Cisco ISE Version 22.214.171.1240—Cumulative ...
ISE 2.3 Patch 5 has been released at ISE 2.3.0 Software Download since 2018-Sep-17, with the filename ise-patchbundle-126.96.36.1998-Patch5-18082702.SPA.x86_64.tar.gz.
For more info, please read Resolved Caveats in Cisco ISE Version 188.8.131.528—Cumulative P...
I recently ran into an issue on ISE 2.3 Patch 5 when trying to modify a Hotspot Guest Portal that had been created in the ISE Portal Builder.
The support people with the ISEPB team gave me the answer, so I thought I'd save someone a...
The Security team is pleased to announce the Cisco Firepower Threat Defense 6.2.3 Attack Lab v1.2, available in all datacenters.
The lab is aimed at technical decision makers, security engineers and CSOs with an interest in security technology. Th...