Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
575
Views
0
Helpful
2
Replies

IPSec tunnels have invalid SPI after PIX Failover

pbohanno
Level 1
Level 1

‎01-12-2005 07:45 AM - edited ‎02-21-2020 01:32 PM

Greetings.

I am working with a hub-and-spoke VPN environment using one PIX 515 and several PIX 501s. Each PIX 501 has an IPSec tunnel terminated at the 515. Additionally, the PIX 515 is in a statefail failover environment which works perfectly, except for maintenance of the IPSec tunnels.

When failover occurs, TCP sessions are continued and access to the Internet at the PIX 515 location is unhindered. However, it seems as if the VPN tunnels with the 501s are unusable. Based on log messages, it seems as if the "invalid spi" problem creeps up, which I suppose makes a bit of sense given that the checksum was calculated on the first 515.

Does anyone have a design suggestion for this problem? I suppose I could setup the tunnels with lifetimes of 10 minutes or so to mitigate the problem, but unnecessarily re-establishing the tunnels umpteen times throughout the day seems a bit much. Idle timeout won't work, because the 501s don't perceive the tunnel as active, they're still encrypting and sending data.

Any help would be appreciated. Thanks!

--pb

Labels:
0 Helpful
2 Replies 2

ehirsel
Level 6
Level 6

‎01-12-2005 05:41 PM

On each end of the vpn connection, that is on the pix 501 and the 515 units code this statement:

crypto isakmp keepalive

This will force the use of keepalive packets, that can detect when a peer goes away. Now your pix standby units in a FO mode will assume the ip address of the active unit, but when they see a keepalive packet in the active state, they will respond with a isa delete message that will let the remote end know to reneogtiate the phase1 and phase2 sa's.

You need to do this on both ends as it will not work otherwise - keepalives only work if it is configured on both ends. I believe that the default value is 30 sec. and it should suffice.

Let me know if this helps.

0 Helpful

pbohanno
Level 1
Level 1
In response to ehirsel

‎01-13-2005 05:44 AM

That looks to be exactly what I need, based on the documentation. Due to high availability requirements for this customer, I'll have to wait until Monday to implement it. I will surely let you know. Many thanks!

Patrick

0 Helpful
Customers Also Viewed These Support Documents