Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 8.0(4) not sending DPD keepalives


we have simple NAT traversal configuration with an L2L tunnel lke this

5505(8.0) -> DSL Router (NAT) -> Internet -> 5510 (8.0)

The DSL Router gets a new IP every n hours.

Configuration is like this:

tunnel-group XXX type ipsec-l2l

tunnel-group XXX ipsec-attributes

pre-shared-key *

isakmp keepalive threshold 11 retry 2

Now what happens is:

* Tunnel comes up

* DSL Model gets new IP address (this can also be triggered with simply power-cycling it)

* SA hasn't timed out yet

* Tunnel is _not_ torn down and recreated

If I debug crypto isakmp 200 everything, I can see DPD keeplives being sent from time to time, but not every 11 seconds as configured. This is because the keepalives are only sent "on-demand", when no traffic is flowing. Logically this should only apply, if there is no _incoming_ traffic on the tunnel - as is the case when we get a new IP - but in fact keepalives are also omitted when there is outoing traffic.

Because a few machines will always try to send packets over the tunnel, this situation almost never applies.

In IOS there is another version of the command where one can say "crypto isakmp 10 2 periodic", which forces the keepalives to be sent every n seconds. But not on the ASA.

Has anyone run into this as well or knows about an ASA version of the "periodic" parameter?



P.S.: Reducing the SA lifetime to a minutes is not really an option as this kills Oracle connections...

Community Member

Re: ASA 8.0(4) not sending DPD keepalives


I have a problem with a similar configuration (with easyvpn though):^1%40.2cd250c8

Have you found a solution to your problem? I am also currently running the "SA-lifetime-reduction" workaround.

Community Member

Re: ASA 8.0(4) not sending DPD keepalives

nope. haven't.

it's a pity that noone from Cisco anwered here. I also can't file a bug, because I don't have a subscription...

Re: ASA 8.0(4) not sending DPD keepalives

I suggest you post this question under the Security/VPN section, I am sure you will get an answer there.

CreatePlease to create content