IPsec tunnel ping test occasional packet loss issue

null

Ping lost while from the local private segment to the remote provate segment

1. ike sa normal

2.ipsec sa normal

3.debug ipsec and ike found the ike keepalive timeout

remove the ike keepalive commands, attach this command explain

# ike invalid-spi-recovery enable 

 ike dpd interval 1 periodic 

 ike keepalive interval 20 

 ike keepalive timeout 20 

#

ps:

ike keepalive timeout

Use ike keepalive timeout to set the IKE keepalive timeout time.

Use undo ike keepalive timeout to restore the default.

Syntax

ike keepalive timeout seconds

undo ike keepalive timeout

Default

The IKE keepalive timeout time is not set.

Views

System view

Predefined user roles

network-admin

context-admin

vsys-admin

Parameters

seconds: Specifies the number of seconds between IKE keepalives. The value range for this argument is 20 to 28800.

Usage guidelines

If the local end receives no keepalive packets from the peer during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.

The keepalive timeout time configured at the local end must be longer than the keepalive interval configured at the peer. Because more than three consecutive packets are rarely lost on a network, you can set the keepalive timeout time to three times as long as the keepalive interval.