03-12-2004 10:14 AM - edited 02-21-2020 01:04 PM
I have dual pix's configured for stateful failover. If and when a fialover change occurs the active PIX has no IPSEC and ISAKMP security associations active and the remote end (an 831) thinks it still has an active tunnel. At the remote end I have to clear the sa's in order to successfully pass traffic over the tunnel again. Eventaully I'll have 18 site to site tunnels and certainly don't want to have to telnet to all the remotes and clear their SA's to get up and running again. Is this a bug or what?
Failover PIX's are running 6.3.1 and the remote 831 is running 12.3(2)XE
HELP!!!
Paul
03-14-2004 01:05 PM
It's not a bug, it's just not implemented. Failover does not replicate IPSec tunnels, so whne the PIX's fail over the tunnels will go down. IPSec stateful failover is due for the next major release of code due out later this year.
For the moment, configure ISAKMP keepalives on both ends, this way the 831 will detect that the tunnel has gone down and will rebuild it automatically.
The command on the PIX (http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#wp1027312) is:
isakmp keepalive 10 2
and on the router it's:
crypto isakmp keepalive 10 2
The "10" says send a keepalive over the tunnel every 10 seconds, and if you get no response, send 3 more keepalives at "2" second intervals. If you get no response to those, bring the tunnel down and try to rebuild it. Worst case scenario with these timers is 10 + (2 * 3) = 16 seconds your tunnel will be down.
You can change the timers to suit your needs, although I think 10 and 2 are the minimum. Whatever you make them, just make sure they're the same on all devices.
03-15-2004 08:12 AM
Perfect, I will implement the IPSEC keepalives!
Thanks for the concise reply!
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide