06-26-2014 05:19 AM
Hello everyone
We need your help with our Site-To-Site VPN
We have a VPN site-to-site connection the remote client has implemented DPD on their side and requesting we do the same on our Cisco 5505 ASA firewall.
My Question; is this recommended by Cisco if not please give a complete reason why, we can summit to upper management for review
Can you help me with the commands/Syntax for adding this to our Cisco 5505 ASA firewall running IOS version 8.45; will this bring the tunnel down while we configure this DPD?
Thank you
Solved! Go to Solution.
06-26-2014 09:21 AM
Hi
It has advantages as well as disadvantages.
Advantage is it detects the tunnel drops well before than the default scenario.
Disadvantage is if the other end device or clients behind the protected fw which blocks the DPD packets might creates an issue. But in your scenario you should not have such problems.
tunnel-group 10.90.244.26 type ipsec-l2l
tunnel-group 10.90.244.26 ipsec-attributes
isakmp keepalive threshold 10 retry 5
===== This enables the DPD.... every 10 secs it tries to detect with keepalive messages and retry initiates after 5 seconds.....
Make sure the configurations should match both the ends.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution07
Regards
Karthik
06-26-2014 09:21 AM
Hi
It has advantages as well as disadvantages.
Advantage is it detects the tunnel drops well before than the default scenario.
Disadvantage is if the other end device or clients behind the protected fw which blocks the DPD packets might creates an issue. But in your scenario you should not have such problems.
tunnel-group 10.90.244.26 type ipsec-l2l
tunnel-group 10.90.244.26 ipsec-attributes
isakmp keepalive threshold 10 retry 5
===== This enables the DPD.... every 10 secs it tries to detect with keepalive messages and retry initiates after 5 seconds.....
Make sure the configurations should match both the ends.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/81824-common-ipsec-trouble.html#solution07
Regards
Karthik
06-26-2014 10:44 AM
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide