we have simple NAT traversal configuration with an L2L tunnel lke this
5505(8.0) -> DSL Router (NAT) -> Internet -> 5510 (8.0)
The DSL Router gets a new IP every n hours.
Configuration is like this:
tunnel-group XXX type ipsec-l2l
tunnel-group XXX ipsec-attributes
isakmp keepalive threshold 11 retry 2
Now what happens is:
* Tunnel comes up
* DSL Model gets new IP address (this can also be triggered with simply power-cycling it)
* SA hasn't timed out yet
* Tunnel is _not_ torn down and recreated
If I debug crypto isakmp 200 everything, I can see DPD keeplives being sent from time to time, but not every 11 seconds as configured. This is because the keepalives are only sent "on-demand", when no traffic is flowing. Logically this should only apply, if there is no _incoming_ traffic on the tunnel - as is the case when we get a new IP - but in fact keepalives are also omitted when there is outoing traffic.
Because a few machines will always try to send packets over the tunnel, this situation almost never applies.
In IOS there is another version of the command where one can say "crypto isakmp 10 2 periodic", which forces the keepalives to be sent every n seconds. But not on the ASA.
Has anyone run into this as well or knows about an ASA version of the "periodic" parameter?
P.S.: Reducing the SA lifetime to a minutes is not really an option as this kills Oracle connections...