Solved: HiIt has advantages as well

Stephen Sisson · ‎06-26-2014

Hello everyone

We need your help with our Site-To-Site VPN

We have a VPN site-to-site connection the remote client has implemented DPD on their side and requesting we do the same on our Cisco 5505 ASA firewall.

My Question; is this recommended by Cisco if not please give a complete reason why, we can summit to upper management for review

Can you help me with the commands/Syntax for adding this to our Cisco 5505 ASA firewall running IOS version 8.45; will this bring the tunnel down while we configure this DPD?

Thank you

nkarthikeyan · ‎06-26-2014

Hi

It has advantages as well as disadvantages.

Advantage is it detects the tunnel drops well before than the default scenario.

Disadvantage is if the other end device or clients behind the protected fw which blocks the DPD packets might creates an issue. But in your scenario you should not have such problems.

tunnel-group 10.90.244.26 type ipsec-l2l
tunnel-group 10.90.244.26 ipsec-attributes
isakmp keepalive threshold 10 retry 5

===== This enables the DPD.... every 10 secs it tries to detect with keepalive messages and retry initiates after 5 seconds.....

Make sure the configurations should match both the ends.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution07

Regards

Karthik

View solution in original post

nkarthikeyan · ‎06-26-2014

Hi