08-09-2012 08:05 AM
Is this called command line inconsistancy or documentation error. I am trying to disable isakmp keepalive by refering to following document.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/vpn_groups.html#wp1049862
Look at the step # 6 how they tell reader to disable keepalive.
"
IKE keepalives are enabled by default. To disable IKE keepalives, enter the no form of the isakmp command: "
ASA1# sh run all tunnel-group <PEER-IP>
tunnel-group <PEER-IP> type ipsec-l2l
tunnel-group <PEER-IP> general-attributes
no accounting-server-group
default-group-policy ipsec-SDM
tunnel-group <PEER-IP> ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication
ASA1# config t
ASA1(config)# tunnel-group <PEER-IP> ipsec-attributes
ASA1(config-tunnel-ipsec)# no isakmp keepalive threshold 10 retry 2
ASA1(config-tunnel-ipsec)# end
ASA1# sh run all tunnel-group <PEER-IP>
tunnel-group <PEER-IP> type ipsec-l2l
tunnel-group <PEER-IP> general-attributes
no accounting-server-group
default-group-policy ipsec-SDM
tunnel-group <PEER-IP> ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication
ASA1# config t
ASA1(config)# tunnel-group <PEER-IP> ipsec-attributes
ASA1(config-tunnel-ipsec)# no isa
ASA1(config-tunnel-ipsec)# no isakmp kee
ASA1(config-tunnel-ipsec)# no isakmp keepalive ?
tunnel-group-ipsec mode commands/options:
disable Disable IKE keepalives
retry Enter the interval between retries after a keepalive response has
not been received.
threshold Enter the number of seconds that the peer is allowed to idle
before beginning keepalive monitoring
<cr>
ASA1(config-tunnel-ipsec)# no isakmp keepalive
ASA1(config-tunnel-ipsec)# end
ASA1# sh run all tunnel-group <PEER-IP>
tunnel-group <PEER-IP> type ipsec-l2l
tunnel-group <PEER-IP> general-attributes
no accounting-server-group
default-group-policy ipsec-SDM
tunnel-group <PEER-IP> ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication
ASA1# sh run tunn
ASA1# sh run tunnel-group <PEER-IP>
tunnel-group <PEER-IP> type ipsec-l2l
tunnel-group <PEER-IP> general-attributes
default-group-policy ipsec-SDM
tunnel-group <PEER-IP> ipsec-attributes
ikev1 pre-shared-key *****
ASA1# config t
ASA1(config)# tunnel-group <PEER-IP> ipsec-attributes
ASA1(config-tunnel-ipsec)# no isa
ASA1(config-tunnel-ipsec)# no isakmp kee
ASA1(config-tunnel-ipsec)# no isakmp keepalive ?
tunnel-group-ipsec mode commands/options:
disable Disable IKE keepalives
retry Enter the interval between retries after a keepalive response has
not been received.
threshold Enter the number of seconds that the peer is allowed to idle
before beginning keepalive monitoring
<cr>
ASA1(config-tunnel-ipsec)# isa
ASA1(config-tunnel-ipsec)# isakmp kee
ASA1(config-tunnel-ipsec)# isakmp keepalive dis
ASA1(config-tunnel-ipsec)# isakmp keepalive disable
ASA1(config-tunnel-ipsec)# end
ASA1# sh run tunn
ASA1# sh run tunnel-group <PEER-IP>
tunnel-group <PEER-IP> type ipsec-l2l
tunnel-group <PEER-IP> general-attributes
default-group-policy ipsec-SDM
tunnel-group <PEER-IP> ipsec-attributes
ikev1 pre-shared-key *****
isakmp keepalive disable
ASA1#
08-22-2012 10:19 PM
I do not think it is command line inconsistency. It is clearly documentation error. It should be reported to the Cisco team in charge of that documentation so that they can fix it.
HTH
Rick
Sent from Cisco Technical Support iPad App
08-23-2012 03:59 AM
It is a documentation error. Reported to TAC. You may find the details in the above link after 48 hours.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: