question about "crypto isakmp keepalive 10 5"

cciesec2011 · ‎07-21-2015

I have a site-2-site VPN between router A and router B. Between routerA and routerB is a firewall. The VPN is up and running without any issues.

in both router A and router B, I enable the command "crypto isakmp keepalive 10 5". There are very little traffics going over the VPN tunnel, most of the time, the VPN tunnel is just there.

However, when I enable the command "crypto isakmp keepalive 10 5" and do a "clear crypto isakmp sa" and "clear crypto sa", I expect to see "are you there" traffics between router A and router B and I should see that traffics on the firewalls but I am not.

I opened a TAC case with Cisco but they don't know either.

Anyone?

Dinesh Moudgil · ‎07-21-2015

Hi,

For anything and everything on DPDs on ASA and routers, this document will be quite handful :
https://supportforums.cisco.com/document/32546/dead-peer-detection

Now some trivial information regarding the keepalives on routers:-

* DPD is disabled by default on Cisco routers.
* The default mode is "on-demand" if not specified.
* Default retrie count is 5, not configurable.

It means that both the devices won't start sending keepalives with commencement of VPN tunnel but will generate On demand DPDs when and if required.

In case of on-demand DPD, a router sends its R-U-THERE message to a peer if
a. there is a traffic to send to the peer, and
b. the peer was idle for <threshold> seconds (i.e. there was no traffic from the peer for <threshold> seconds)

i.e. if somehow your peer does not have reachability (i.e. no traffic coming from peer) to your device and you wish to send traffic through the tunnel, then On demand DPDs kick in.

I set up a L2L VPN tunnel between routers , enabled keepalives and confirmed that we do not see R-U-THERE packets traversing the path of routers.
For test , I denied all the traffic in front of one router (applying inbound acl, denying all the traffic) and tried sending traffic from other router and here are the debugs that I got:-

R3#ping 4.4.4.1 so 3.3.3.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 4.4.4.1, timeout is 2 seconds:
Packet sent with a source address of 3.3.3.1
..
*Mar 1 00:39:51.463: ISAKMP: Locking peer struct 0x64FA4584, IKE refcount 2 for Check and send DPD
*Mar 1 00:39:51.467: ISAKMP: DPD received kei with flags 0x8
*Mar 1 00:39:51.467: ISAKMP: set new node 1365802345 to QM_IDLE
*Mar 1 00:39:51.471: ISAKMP:(0:1:SW:1):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 1703504136, message ID = 1365802345
*Mar 1 00:39:51.471: ISAKMP:(0:1:SW:1): seq. no 0x35A046D0
*Mar 1 00:39:51.475: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.2 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 1 00:39:51.475: ISAKMP:(0:1:SW:1):purging node 1365802345
*Mar 1 00:39:51.479: ISAKMP: Unlocking IKE struct 0x64FA4584 Quickmsg/DPD, count 1..
*Mar 1 00:39:56.475: ISAKMP (0:134217729): incrementing error counter on sa, attempt 1 of 5: PEERS_ALIVE_TIM ER
*Mar 1 00:39:56.475: ISAKMP: set new node -1538256072 to QM_IDLE
*Mar 1 00:39:56.479: ISAKMP:(0:1:SW:1):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 1707625144, message ID = -1538256072
*Mar 1 00:39:56.479: ISAKMP:(0:1:SW:1): seq. no 0x35A046D1
*Mar 1 00:39:56.483: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.2 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 1 00:39:56.487: ISAKMP:(0:1:SW:1):purging node -1538256072
*Mar 1 00:39:56.487: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE.
Success rate is 0 percent (0/5)
R3#
*Mar 1 00:39:56.487: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

R3#
*Mar 1 00:40:01.487: ISAKMP (0:134217729): incrementing error counter on sa, attempt 2 of 5: PEERS_ALIVE_TIM ER
*Mar 1 00:40:01.487: ISAKMP: set new node -1985021960 to QM_IDLE
*Mar 1 00:40:01.487: ISAKMP:(0:1:SW:1):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 1707625144, message ID = -1985021960
*Mar 1 00:40:01.487: ISAKMP:(0:1:SW:1): seq. no 0x35A046D2
*Mar 1 00:40:01.491: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.2 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 1 00:40:01.491: ISAKMP:(0:1:SW:1):purging node -1985021960
*Mar 1 00:40:01.495: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE
R3#
*Mar 1 00:40:01.495: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

R3#
*Mar 1 00:40:06.495: ISAKMP (0:134217729): incrementing error counter on sa, attempt 3 of 5: PEERS_ALIVE_TIM ER
*Mar 1 00:40:06.495: ISAKMP: set new node 1641252821 to QM_IDLE
*Mar 1 00:40:06.499: ISAKMP:(0:1:SW:1):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 1707625144, message ID = 1641252821
*Mar 1 00:40:06.499: ISAKMP:(0:1:SW:1): seq. no 0x35A046D3
*Mar 1 00:40:06.503: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.2 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 1 00:40:06.503: ISAKMP:(0:1:SW:1):purging node 1641252821
*Mar 1 00:40:06.507: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE
R3#
*Mar 1 00:40:06.507: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

R3#
*Mar 1 00:40:11.507: ISAKMP (0:134217729): incrementing error counter on sa, attempt 4 of 5: PEERS_ALIVE_TIM ER
*Mar 1 00:40:11.507: ISAKMP: set new node -1466991828 to QM_IDLE
*Mar 1 00:40:11.511: ISAKMP:(0:1:SW:1):Sending NOTIFY DPD/R_U_THERE protocol 1
spi 1707625144, message ID = -1466991828
*Mar 1 00:40:11.511: ISAKMP:(0:1:SW:1): seq. no 0x35A046D4
*Mar 1 00:40:11.515: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.2 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 1 00:40:11.515: ISAKMP:(0:1:SW:1):purging node -1466991828
*Mar 1 00:40:11.519: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE
R3#
*Mar 1 00:40:11.519: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

R3#
*Mar 1 00:40:16.519: ISAKMP (0:134217729): incrementing error counter on sa, attempt 5 of 5: PEERS_ALIVE_TIM ER
*Mar 1 00:40:16.519: ISAKMP:(0:1:SW:1):peer 1.1.1.2 not responding!
*Mar 1 00:40:16.523: ISAKMP:(0:1:SW:1):peer does not do paranoid keepalives.

*Mar 1 00:40:16.523: ISAKMP:(0:1:SW:1):deleting SA reason "P1 errcounter exceeded (PEERS_ALIVE_TIMER)" state (R) QM_IDLE (peer 1.1.1.2)
*Mar 1 00:40:16.523: ISAKMP: set new node 1802245874 to QM_IDLE
*Mar 1 00:40:16.527: ISAKMP:(0:1:SW:1): sending packet to 1.1.1.2 my_port 500 peer_port 500 (R) QM_IDLE
*Mar 1 00:40:16.531: ISAKMP:(0:1:SW:1):purging node 1802245874
*Mar 1 00:40:16.531: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_TIMER, IKE_TIMER_PEERS_ALIVE
*Mar 1 00:40:16.535: ISAKMP:(0:1:SW:1):Old State = IKE_P1_COMPLETE New State = IKE_DEST_SA

*Mar 1 00:40:16.535: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar 1 00:40:16.539: Delete IPsec SA by DPD, local 1.1.1.1 remote 1.1.1.2 peer port 500
*Mar 1 00:40:16.539: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 1.1.1.1, sa_proto= 50,
sa_spi= 0x7DFF4036(2113880118),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2002,
(identity) local= 1.1.1.1, remote= 1.1.1.2,
local_proxy= 3.3.3.1/255.255.255.255/0/0 (type=1),
remote_proxy= 4.4.4.1/255.255.255.255/0/0 (type=1)
*Mar 1 00:40:16.547: IPSEC(add_sa): have new SAs -- expire existing in 30 sec.,
(sa) sa_dest= 1.1.1.2, sa_proto= 50,
sa_spi= 0xC9173F9B(3373744027),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001,
(identity) local= 1.1.1.1, remote= 1.1.1.2,
local_proxy= 3.3.3.1/255.255.255.255/0/0 (type=1),
remote_proxy= 4.4.4.1/255.255.255.255/0/0 (type=1)
*Mar 1 00:40:16.551: IPSEC(delete_sa): deleting SA,
(sa) sa_dest= 1.1.1.2, sa_proto= 50,
sa_spi= 0xC9173F9B(3373744027),
sa_trans= esp-3des esp-sha-hmac , sa_conn_id= 2001,
(identity) local= 1.1.1.1, remote= 1.1.1.2,
local_proxy= 3.3.3.1/255.255.255.255/0/0 (type=1),
remote_proxy= 4.4.4.1/255.255.255.255/0/0 (type=1)
*Mar 1 00:40:16.555: IPSec: Flow_switching Deallocated flow for sibling 80000003
*Mar 1 00:40:16.555: ISAKMP: Unlocking IPSEC struct 0x64FA4584 from delete_siblings, count 0
*Mar 1 00:40:16.563: ISAKMP: received ke message (3/1)
*Mar 1 00:40:16.563: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 1.1.1.1 dst 1.1.1.2 f or SPI 0x7DFF4036
*Mar 1 00:40:16.563: ISAKMP:(0:1:SW:1):deleting SA reason "P1 errcounter exceeded (PEERS_ALIVE_TIMER)" state (R) QM_IDLE (peer 1.1.1.2)
*Mar 1 00:40:16.567: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat incoming_active sin ce it's already 0.
*Mar 1 00:40:16.567: ISAKMP: Unlocking IKE struct 0x64FA4584 for isadb_mark_sa_deleted(), count 0
*Mar 1 00:40:16.567: ISAKMP: Deleting peer node by peer_reap for 1.1.1.2: 64FA4584
*Mar 1 00:40:16.571: ISAKMP:(0:1:SW:1):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Mar 1 00:40:16.571: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA

*Mar 1 00:40:16.575: IPSEC(key_engine): got a queue event with 1 kei messages
*Mar 1 00:40:16.583: ISAKMP:(0:1:SW:1):deleting SA reason "No reason" state (R) MM_NO_STATE (peer 1.1.1.2)
*Mar 1 00:40:16.583: ISAKMP:(0:0:N/A:0):Can't decrement IKE Call Admisstion Control stat incoming_negotiatin g since it's already 0.
*Mar 1 00:40:16.587: ISAKMP:(0:1:SW:1):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
*Mar 1 00:40:16.587: ISAKMP:(0:1:SW:1):Old State = IKE_DEST_SA New State = IKE_DEST_SA

This confirms that DPDs flow once remote VPN peer is not able to reach the local peer for a specific time and we need to continue communication across VPN tunnel.
This mechanism confirms that we do not keep sending traffic if the remote peer is having connectivity issues with our local VPN termination device.

Hope this helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/