Re: IPSec Tunnel - Scripted Keepalive

fawad.alam · ‎06-27-2005

I have VPN IPSec Tunnel established between a 3745 and a 2650. Both running IOS 12.3. It is always problem to initiate the tunnel from 2650 side. Interesting traffic can not initiate the tunnel and it gets hung up in the middle after MM_Key_Exchange.

There is no issue in inititating tunnel from 3745 side.

I am wondering if there is a scriptd keepalive mechanism in IOS 12.3 that I can use to keep the tunnel up all the time.

Any sugestion would be appreciated.

ehirsel · ‎06-28-2005

Please post the 3745 and 2650 configs here, as well as the image file names used on both devices. There may be some bugs in a specific 12.3 release that you may have encountered, or it could be an issue with the vpn configs themselves.

Some handy debug commands you may want to try are:

debug crypto isakmp

debug crypto ipsec

If possible, run those debug commands on both units, try to initiate the tunnel from the 2650 and let me know the results.

One item to note is that I encounted an issue with 12.3(4)T6 whereby if I did not have an exact match on the isakmp policy that a certain peer had (down to the lifetime level) the tunnel would not come up if the one side did the initiation. I migrated to a 12.4 mainline release and that issue was solved. The issue occured because my highest priority isakmp policy did not have a lifetime that matched the partner's even though it should not have mattered.

rlcarr · ‎06-29-2005

You can use the command

crypto isakmp keepalive

just make sure the value you choose matches on both ends!

Also, if you are running GRE tunnels you can use keepalives on the GRE interfaces.

sunilc · ‎06-29-2005

There are many ways to keep tunnel open, or bring up a site-site tunnel:

Periodic isakmp keepalives

Increasing ipsec idle-timer and ike/ipsec lifetime

Running NTP between the 2 routers thru the ipsec tunnel

Running scripted periodic pings using Service Assurance Agent (SAA)

Seems strange that 2650 can respond but not initiate tunnels.