Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3434
Views
0
Helpful
1
Replies

IKE Dead Peer Detection between Cisco ASA and Cisco PIX

Go to solution
Nicholas Beard
Level 1
Level 1

‎01-04-2011 04:07 AM

I have a hub and spoke environment with approximately 30 remote satellite offices using Site to Site VPN connectivity.  The majority of the remote satellite offices have Cisco PIX 501 devices running PIX Version 6.3.  The hub office runs a Cisco ASA version 8.2(1).

I have configured Dead Peer Detection on the Cisco ASA device at the hub office with the default settings of the following -

Confidence Interval - 10 Seconds

Retry Interval - 2 Seconds

I believe i am correct in assuming the Retries are limited to 3 before the tunnel is torn down completely.  Basically, the problem i am experiencing is with several of the remote satellite offices.  What appears to be happening, is the tunnel between the remote office and the hub is torn down (probably due to the IKE lifetime, defaulted to 86400 seconds) and the tunnel then fails to renegotiate unless traffic is physically forced from the hub office.  The tunnel does NOT renegotiate from the satellite office end, ONLY the hub end; therefore meaning any traffic send from the satellite office when the VPN tunnel is down ,does not renegotiate the tunnel.  The Hub office is a colo and therefore traffic very rarely emanates from this end, therefore the tunnel remains down until manual intervention occurs and ICMP traffic is forced down the tunnel.

Should the Keepalives and the retry interval settings match at both ends, for example should both devices be setup for DPD?

What are the potential pitfalls with extending the IKE lifetime, and will this help or further hinder the problem?

Thank you in advance for any help with this.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ivan Martinon
Level 7
Level 7

‎01-04-2011 10:45 AM

Hi Nicholas,

I think that both DPD settings must match on both ends, if these do not match then problems like yours might arise what seems to happen here is that one end shows tunnel down, but the other end might not detect it down, we might need to look at debugs or logs from both ends to find out if this is the case, in the meantime setting ike dpds to the same timers might hetlp out.

As for increasing the IKE lifetime, well you just need to be aware that this might allow keys to be discovered since these are not renegotiated unless the tunnel is down on IKE level. Other than that I see no reason why this would affect you.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Ivan Martinon
Level 7
Level 7

‎01-04-2011 10:45 AM

Hi Nicholas,

I think that both DPD settings must match on both ends, if these do not match then problems like yours might arise what seems to happen here is that one end shows tunnel down, but the other end might not detect it down, we might need to look at debugs or logs from both ends to find out if this is the case, in the meantime setting ike dpds to the same timers might hetlp out.

As for increasing the IKE lifetime, well you just need to be aware that this might allow keys to be discovered since these are not renegotiated unless the tunnel is down on IKE level. Other than that I see no reason why this would affect you.

0 Helpful
Customers Also Viewed These Support Documents