Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
287
Views
0
Helpful
1
Replies

IPSec Peers causing unnecessary DDR over ISDN

Shervan Singh
Level 1
Level 1

‎12-10-2003 08:32 AM - edited ‎02-21-2020 12:56 PM

Hi,

I have a IOS firewall router connecting over ISDN (DDR) to a PIX. Topology as follows:

CISCO IOS 1712----isdn----800-PIX

The problem is that the peers try to communicate when not needed, causing the DDR to open up the ISDN link.

ISAKMP lifetime is 300 seconds

IPSec lifetime is 300 seconds.

I do not want to compromise these just yet. An access list would do, but exactly what? I have tried just allowing data between the secured hosts, but this did not work. It seems that the DDR only comes up when the peers communicate (both the firewalls), but it is exactly this communication that is causing the unnecessary costly call

Any advise?

Thanks, Shervan

Labels:
0 Helpful
1 Reply 1

jsivulka
Level 5
Level 5

‎12-16-2003 01:26 PM

When there is no traffic to be sent across and the SA expires, no re-negotiation takes place. Re-negotiation of a new SA happens only if traffic is being sent across and this is true if you have a large enough lifetime (say 15 to 20 minutes). With a lifetime of a 2 to 3 minutes, renegotiation will take place. Try a slightly larger lifetime and it might work. Either way, 300 secs is too short a lifetime, and must be stressing out system resources.

0 Helpful
Customers Also Viewed These Support Documents