https://community.cisco.com/t5/network-security/debugging-dead-peer-detection-dpd-on-asa/m-p/688257#M1027883 <HTML><HEAD></HEAD><BODY><P>Found answer to one of my questions, debug crypto isakmp 7 will display dpd messages. It also looks like the pix retries 4 times before peer is considered down.</P><P></P><P>The problem is, my tunnel between asa and pix is flapping every so often for no apparent reason. It usually comes right back up after it is torn down. From this log in pix it appears asa is not replying to dpd r u there request from pix.</P><P></P><P>peer 1.1.1.1 , DPD_TX</P><P>peer 1.1.1.1 , DPD_TX</P><P>peer 1.1.1.1 , DPD_TX</P><P>peer 1.1.1.1 , DPD_TX</P><P>peer 1.1.1.1 , DPD_FAIL</P><P>peer 1.1.1.1 , DELETE_ALL_SPIS</P><P></P><P>Should I increase idle time for dpd messages? I do need the pix at remote end to failover to second asa peer if main asa connection fails. I assume making the idle time longer would also make that failover process take longer. </P><P>Any help would be appreciated.</P><P></P><P>How did this post get rated 5.0 by myself???</P><P></P></BODY></HTML> Fri, 26 Jan 2007 20:02:39 GMT acomiskey 2007-01-26T20:02:39Z https://community.cisco.com/t5/network-security/debugging-dead-peer-detection-dpd-on-asa/m-p/688256#M1027882 <P>Is there a similar command for ASA like "isakmp log #" in a pix? </P><P></P><P>Also, from what I have read about dpd in asa, you can specify the idle value in seconds, which specifies how long tunnel can be idle before dpd starts, as well as a retry value in seconds which is the number of seconds between retries. The question is, can you configure how many retries can fail before the peer is considered to be down? If not, what is the default? Is it 1?</P><P></P><P></P><P>Thanks</P> Mon, 11 Mar 2019 09:24:35 GMT https://community.cisco.com/t5/network-security/debugging-dead-peer-detection-dpd-on-asa/m-p/688256#M1027882 acomiskey 2019-03-11T09:24:35Z https://community.cisco.com/t5/network-security/debugging-dead-peer-detection-dpd-on-asa/m-p/688257#M1027883 <HTML><HEAD></HEAD><BODY><P>Found answer to one of my questions, debug crypto isakmp 7 will display dpd messages. It also looks like the pix retries 4 times before peer is considered down.</P><P></P><P>The problem is, my tunnel between asa and pix is flapping every so often for no apparent reason. It usually comes right back up after it is torn down. From this log in pix it appears asa is not replying to dpd r u there request from pix.</P><P></P><P>peer 1.1.1.1 , DPD_TX</P><P>peer 1.1.1.1 , DPD_TX</P><P>peer 1.1.1.1 , DPD_TX</P><P>peer 1.1.1.1 , DPD_TX</P><P>peer 1.1.1.1 , DPD_FAIL</P><P>peer 1.1.1.1 , DELETE_ALL_SPIS</P><P></P><P>Should I increase idle time for dpd messages? I do need the pix at remote end to failover to second asa peer if main asa connection fails. I assume making the idle time longer would also make that failover process take longer. </P><P>Any help would be appreciated.</P><P></P><P>How did this post get rated 5.0 by myself???</P><P></P></BODY></HTML> Fri, 26 Jan 2007 20:02:39 GMT https://community.cisco.com/t5/network-security/debugging-dead-peer-detection-dpd-on-asa/m-p/688257#M1027883 acomiskey 2007-01-26T20:02:39Z