Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
2
Helpful
6
Replies

FTD Route based VPN - IKEv2 Questions

dcanady55
Level 3
Level 3

‎06-16-2023 06:16 AM

Hello,

FMC & FTD 7.3

Running a route-based site-to-site IKEv2 between us and a third party. I've been having some issues with the tunnel bouncing, and the third party gave me the following in bold: I have set my timeouts according to them. I can see from running "sh crypto isakmp sa" that I'm the initiator, but I have not figured out how to change this to responder. Please advise. Then under ISAKMP settings, there's nothing in there to suggest there is an action of "restart" for keepalives. Does this setting exist?

Make sure that 'Initiator Mode' is turned off, and that the timeouts are set according to our documentation

Also, your DPD action needs to be 'restart'

 

Thanks,

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎06-16-2023 06:24 AM

@dcanady55 the terminology changes between hardware vendors, Cisco refers to responder as "answer only". So by setting the tunnel to answer only, the tunnel will not initiate the tunnel.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/vpn-s2s.html

 

0 Helpful

MHM Cisco World
VIP
VIP

‎06-16-2023 06:28 AM - edited ‎06-16-2023 06:29 AM

Make sure that 'Initiator Mode' is turned off, and that the timeouts are set according to our documentation

Connection type select answer-only 

Also, your DPD action needs to be 'restart'

Dpd is by defualt run in s2s vpn

dcanady55
Level 3
Level 3
In response to MHM Cisco World

‎06-16-2023 06:53 AM

MHM,

are you saying there is no DPD action of restart in that I can either enabled it or disabled it?

Thanks

MHM Cisco World
VIP
VIP
In response to dcanady55

‎06-16-2023 06:58 AM

As I know Yes' 

In asa and fpr the dpd is enable by defualt why you want to disable it?

I think your issue is only with child ikev2 and this solve with answer-only 

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎06-16-2023 07:03 AM

Dpd is same as keepalive' FMC give you option to disable it 

Advnace > ike > isakamp setting 

Disable ike keepalive 

Note:- be sure that you want to disable it.

0 Helpful

Rob Ingram
VIP
VIP
In response to dcanady55

‎06-16-2023 07:17 AM

@dcanady55 DPD aka keepalives are enabled as default (interval 10 seconds) on FTD. The keepalives are used to detect the liveliness IKE peer and clear down stale SAs if unreachable. If you don't clear down stale SAs (by disabled DPD keepalive) then you'd have to wait for a rekey, this would result in loss of connectivity. You'd want DPD keepalives enabled on both sides.

0 Helpful
Customers Also Viewed These Support Documents