Isakmp Keepalive – Cisco ASA & Checkpoint

Cisco ASA has Isakmp Keepalive Enabled by default. You can see this by running “show run all” and look under the tunnel-group configuration for the specific IPSec tunnel.

 

Default Setting for a tunnel-group:

tunnel-group 10.10.10.10 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication

 

Configuration change required to disable isakmp:

tunnel-group 10.10.10.10 ipsec-attributes
isakmp keepalive disabled

 

After Change:

tunnel-group 10.10.10.10 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive disable
no ikev2 remote-authentication
no ikev2 local-authentication

 

Error Message Seen in the Cisco ASA Logs:

Jan 26 05:10:03 [IKEv1]IP = 10.10.10.10, Keep-alives configured on but peer does not support keep-alives (type = None)

 

The following is taken from Cisco documentation link provided:

“If you configure ISAKMP keepalives, it helps prevent sporadically dropped LAN-to-LAN or Remote Access VPN, which includes VPN clients, tunnels and the tunnels that are dropped after a period of inactivity. This feature lets the tunnel endpoint monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the endpoint removes the connection. In order for ISAKMP keepalives to work, both VPN endpoints must support them.

In some situations, it is necessary to disable this feature in order to solve the problem, for example, if the VPN Client is behind a Firewall that prevents DPD packets.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution07

In my experience, “Isakmp Keepalive” compatibility between vendors – Cisco & Checkpoint¬†specifically¬†doesn’t exist and it is better to disable it rather than leave it enabled on the Cisco ASA. If enabled between incompatible devices, it can lead to the tunnel dropping sporadically without reason.

One thought on “Isakmp Keepalive – Cisco ASA & Checkpoint”

  1. I have kinda the same problem with site to site VPN. The client has a checkpoint firewall and I have an ASA 5515x running 8.4. RDP to their side randomly disconnects.

Leave a Reply