Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
732
Views
0
Helpful
3
Replies

Help Required Reg IPSec DPD (Dead Peer Detection)

Go to solution
ranjit123
Level 3
Level 3

‎05-13-2010 08:44 PM - edited ‎03-04-2019 08:28 AM

Dear All,

We are facing a strange problem in our network regrding IPSec. Below is the config

====================================================================

crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key <> address <>
crypto isakmp key <> address <>
crypto isakmp keepalive 120  <------------------------****
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set <> esp-3des esp-sha-hmac

=====================================================================

When we remove crypto map from serial interface still the session stays ACTIVE it does not time out or become IDLE.

How can we troubleshoot the same. even when the session is active still the required prefixes which we have selected for encryption cannot work we have to clear the session and re-establish the session how can we make it more stable.

For DPD periodic can we make it unidirectional???.

Regards,

Ranjit

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ranjit123

‎05-16-2010 11:36 PM

Great to hear. Please mark the question answered. Thanks.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎05-14-2010 01:30 AM

The keepalive is currently set to 2 minutes. Try to lower the keepalive to 10 seconds and see if you are still seeing the tunnel drop issue.

What is the peer device? I would also advise you to configure the same if it's also a Cisco device.

0 Helpful

Go to solution
ranjit123
Level 3
Level 3
In response to Jennifer Halim

‎05-16-2010 09:54 PM

Dear All,

Thanks for your reply we got the issue sorted out

As the crypto ipsec security-association lifetime seconds 86400 and as it was ON_DEMAND approach if the link goes down and no traffic from the remote peer the router will not find out the dead peer until the IKE or IPSec security association (SA) has to be rekeyed.

We have changed the crypto isakmp keepalive 30 to periodic so that the router will send "hello" messages every 30 seconds and if does not get a reply will changed the state to down.

Regards,

Ranjit

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to ranjit123

‎05-16-2010 11:36 PM

Great to hear. Please mark the question answered. Thanks.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card