Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
588
Views
0
Helpful
3
Replies

ASA 8.0(4) not sending DPD keepalives

c.schwarzfischer
Level 1
Level 1

‎12-02-2008 03:51 PM - edited ‎03-11-2019 07:20 AM

Hi,

we have simple NAT traversal configuration with an L2L tunnel lke this

5505(8.0) -> DSL Router (NAT) -> Internet -> 5510 (8.0)

The DSL Router gets a new IP every n hours.

Configuration is like this:

tunnel-group XXX type ipsec-l2l

tunnel-group XXX ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 11 retry 2

Now what happens is:

* Tunnel comes up

* DSL Model gets new IP address (this can also be triggered with simply power-cycling it)

* SA hasn't timed out yet

* Tunnel is _not_ torn down and recreated

If I debug crypto isakmp 200 everything, I can see DPD keeplives being sent from time to time, but not every 11 seconds as configured. This is because the keepalives are only sent "on-demand", when no traffic is flowing. Logically this should only apply, if there is no _incoming_ traffic on the tunnel - as is the case when we get a new IP - but in fact keepalives are also omitted when there is outoing traffic.

Because a few machines will always try to send packets over the tunnel, this situation almost never applies.

In IOS there is another version of the command where one can say "crypto isakmp 10 2 periodic", which forces the keepalives to be sent every n seconds. But not on the ASA.

Has anyone run into this as well or knows about an ASA version of the "periodic" parameter?

Thanks

-chris

P.S.: Reducing the SA lifetime to a minutes is not really an option as this kills Oracle connections...

Labels:
0 Helpful
3 Replies 3

i.va
Level 3
Level 3

‎03-10-2009 04:55 AM

Hi,

I have a problem with a similar configuration (with easyvpn though):

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Virtual%20Private%20Networks&topic=Security&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40.2cd250c8

Have you found a solution to your problem? I am also currently running the "SA-lifetime-reduction" workaround.

0 Helpful

c.schwarzfischer
Level 1
Level 1
In response to i.va

‎03-10-2009 07:10 AM

nope. haven't.

it's a pity that noone from Cisco anwered here. I also can't file a bug, because I don't have a subscription...

0 Helpful

vikram_anumukonda
Level 3
Level 3
In response to c.schwarzfischer

‎03-10-2009 06:56 PM

I suggest you post this question under the Security/VPN section, I am sure you will get an answer there.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card