ASA 8.0(4) not sending DPD keepalives

Unanswered Question
Dec 2nd, 2008
User Badges:


we have simple NAT traversal configuration with an L2L tunnel lke this

5505(8.0) -> DSL Router (NAT) -> Internet -> 5510 (8.0)

The DSL Router gets a new IP every n hours.

Configuration is like this:

tunnel-group XXX type ipsec-l2l

tunnel-group XXX ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 11 retry 2

Now what happens is:

* Tunnel comes up

* DSL Model gets new IP address (this can also be triggered with simply power-cycling it)

* SA hasn't timed out yet

* Tunnel is _not_ torn down and recreated

If I debug crypto isakmp 200 everything, I can see DPD keeplives being sent from time to time, but not every 11 seconds as configured. This is because the keepalives are only sent "on-demand", when no traffic is flowing. Logically this should only apply, if there is no _incoming_ traffic on the tunnel - as is the case when we get a new IP - but in fact keepalives are also omitted when there is outoing traffic.

Because a few machines will always try to send packets over the tunnel, this situation almost never applies.

In IOS there is another version of the command where one can say "crypto isakmp 10 2 periodic", which forces the keepalives to be sent every n seconds. But not on the ASA.

Has anyone run into this as well or knows about an ASA version of the "periodic" parameter?



P.S.: Reducing the SA lifetime to a minutes is not really an option as this kills Oracle connections...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
c.schwarzfischer Tue, 03/10/2009 - 07:10
User Badges:

nope. haven't.

it's a pity that noone from Cisco anwered here. I also can't file a bug, because I don't have a subscription...

vikram_anumukonda Tue, 03/10/2009 - 18:56
User Badges:
  • Bronze, 100 points or more

I suggest you post this question under the Security/VPN section, I am sure you will get an answer there.


This Discussion