515e Failover and IPSEC

pguibord · ‎03-12-2004

I have dual pix's configured for stateful failover. If and when a fialover change occurs the active PIX has no IPSEC and ISAKMP security associations active and the remote end (an 831) thinks it still has an active tunnel. At the remote end I have to clear the sa's in order to successfully pass traffic over the tunnel again. Eventaully I'll have 18 site to site tunnels and certainly don't want to have to telnet to all the remotes and clear their SA's to get up and running again. Is this a bug or what?

Failover PIX's are running 6.3.1 and the remote 831 is running 12.3(2)XE

HELP!!!

Paul

gfullage · ‎03-14-2004

It's not a bug, it's just not implemented. Failover does not replicate IPSec tunnels, so whne the PIX's fail over the tunnels will go down. IPSec stateful failover is due for the next major release of code due out later this year.

For the moment, configure ISAKMP keepalives on both ends, this way the 831 will detect that the tunnel has gone down and will rebuild it automatically.

The command on the PIX (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312) is:

isakmp keepalive 10 2

and on the router it's:

crypto isakmp keepalive 10 2

The "10" says send a keepalive over the tunnel every 10 seconds, and if you get no response, send 3 more keepalives at "2" second intervals. If you get no response to those, bring the tunnel down and try to rebuild it. Worst case scenario with these timers is 10 + (2 * 3) = 16 seconds your tunnel will be down.

You can change the timers to suit your needs, although I think 10 and 2 are the minimum. Whatever you make them, just make sure they're the same on all devices.

pguibord · ‎03-15-2004

Perfect, I will implement the IPSEC keepalives!

Thanks for the concise reply!

Paul