10-31-2013 10:49 AM
Hello to every one:-
1)i want to know the show command to verify the DPD on ASAs. i tried couple of commands but unable to findout DPD is enable on my ASA.
2) when i try to enable the DPD on ASA the old commands was below.
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 10 retry 2
but on my ASA their is no command as specify above to enable isakmp DPD.
My ASA shows me.
ASA(config)# tunnel-group x.x.x.x ipsec-attributes
ASA(config-tunnel-ipsec)# isakmp ?
tunnel-group-ipsec mode commands/options:
keepalive Configure ISAKMP keepalives
configure mode commands/options:
disconnect-notify Enable disconnect notification to peers
identity Set identity type (address, hostname or key-id)
nat-traversal Enable and configure nat-traversal
reload-wait Wait for voluntary termination of existing connections before reboot
ASA(config-tunnel-ipsec)# isakmp disconnect-notify
1)The isakmp disconnect-notify looks like new command to enable DPD on ASA??
2) anyone please let me know if their is any show command available to check the DPD is enable......??
Thanks a lot
10-31-2013 12:27 PM
If in doubt whether command is enebaled by default on ASA use the "all" modifier when doing show run.
From ASA 9.0
# sh run all tunnel-group 6.1.2.2 ipsec-attributes
tunnel-group 6.1.2.2 type ipsec-l2l
tunnel-group 6.1.2.2 ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate req
no chain
no ikev1 trust-point
isakmp keepalive threshold 10 retry 2
no ikev2 remote-authentication
no ikev2 local-authentication
From ASA 8.4
bsns-asa5505-19# sh run all tunnel-group BERN ipsec-attributes
tunnel-group BERN type remote-access
tunnel-group BERN ipsec-attributes
ikev1 pre-shared-key *****
peer-id-validate req
no chain
no ikev1 trust-point
no ikev1 radius-sdi-xauth
isakmp keepalive threshold 300 retry 2
ikev1 user-authentication xauth
no ikev2 remote-authentication
no ikev2 local-authentication
10-31-2013 01:02 PM
i think DPD is enable by default and your command helps and now i can see isakmp keepalive commands under tunnel group.
but if i want to modiy it the config and type (? make) after isakmp no keepalive option popin. four options available its define below.
ASA(config)# tunnel-group x.x.x.x ipsec-attributes
ASA(config-tunnel-ipsec)# isakmp ?
tunnel-group-ipsec mode commands/options:
keepalive Configure ISAKMP keepalives
configure mode commands/options:
disconnect-notify Enable disconnect notification to peers
identity Set identity type (address, hostname or key-id)
nat-traversal Enable and configure nat-traversal
reload-wait Wait for voluntary termination of existing connections before reboot
ASA(config-tunnel-ipsec)# isakmp disconnect-notify
its look like isakmp keepalive command no more avaible or replace by isakmp disconnect-notify..
i am using 8.6.1 version of ios
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: