https://community.cisco.com/t5/network-security/how-to-check-dead-connection-detection-is-enabled-or-not-in-asa/m-p/3095599#M133716 <P>Hi Sankar,</P> <P></P> <P>You need to check the output of show service-policy from the ASA to see of DCD is in effect.</P> <P></P> <P>More info:</P> <P></P> <P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/conns_connlimits.html#wp1080752</P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p2"><SPAN class="s1"></SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Thu, 27 Jul 2017 10:16:54 GMT Aditya Ganjoo 2017-07-27T10:16:54Z https://community.cisco.com/t5/network-security/how-to-check-dead-connection-detection-is-enabled-or-not-in-asa/m-p/3095598#M133715 <P>Hi,<BR /><BR />please share me the command to check Dead Connection Detection is enabled or not in ASA firewall.<BR /><BR /><G class="gr_ gr_174 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="174" data-gr-id="174">Thnaks</G><BR />sankar</P> Wed, 13 Mar 2019 01:16:06 GMT https://community.cisco.com/t5/network-security/how-to-check-dead-connection-detection-is-enabled-or-not-in-asa/m-p/3095598#M133715 sankar.ramoju 2019-03-13T01:16:06Z https://community.cisco.com/t5/network-security/how-to-check-dead-connection-detection-is-enabled-or-not-in-asa/m-p/3095599#M133716 <P>Hi Sankar,</P> <P></P> <P>You need to check the output of show service-policy from the ASA to see of DCD is in effect.</P> <P></P> <P>More info:</P> <P></P> <P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/conns_connlimits.html#wp1080752</P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p2"><SPAN class="s1"></SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Thu, 27 Jul 2017 10:16:54 GMT https://community.cisco.com/t5/network-security/how-to-check-dead-connection-detection-is-enabled-or-not-in-asa/m-p/3095599#M133716 Aditya Ganjoo 2017-07-27T10:16:54Z https://community.cisco.com/t5/network-security/how-to-check-dead-connection-detection-is-enabled-or-not-in-asa/m-p/3095600#M133717 <P>Hi Suresh,<BR /><BR />Thanks for the quick reply.<BR /><BR />actually, i got a mail from my client.</P> <P>" would you ask your network guys to check the DCD (Dead Connection Detection) config on your firewall at the DC end of the VPN Tunnel - e.g. has DCD been enabled, and if so what is the setting&nbsp;</P> <P>&nbsp;".<BR /><BR />which output should I give to my client?<BR /><BR /><G class="gr_ gr_210 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="210" data-gr-id="210">Thnaks</G>,<BR />sankar</P> Thu, 27 Jul 2017 10:24:55 GMT https://community.cisco.com/t5/network-security/how-to-check-dead-connection-detection-is-enabled-or-not-in-asa/m-p/3095600#M133717 sankar.ramoju 2017-07-27T10:24:55Z https://community.cisco.com/t5/network-security/how-to-check-dead-connection-detection-is-enabled-or-not-in-asa/m-p/3095601#M133718 <P>Hi Sankar,</P> <P></P> <P>My name is Aditya <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P></P> <P>To check this you would need to go the tunnel group config of the VPN peer.</P> <P></P> <P>sh run all tunnel-group &lt;IP&gt;</P> <P></P> <P>Check the <G class="gr_ gr_146 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="146" data-gr-id="146">ipsec</G>-attributes and it will show you the keepalive (DPD) values.</P> <P></P> <P class="p1"><SPAN class="s1">Regards,</SPAN></P> <P class="p2"><SPAN class="s1"></SPAN></P> <P class="p1"><SPAN class="s1">Aditya</SPAN></P> <P class="p1"><SPAN class="s1">Please rate helpful and mark correct answers</SPAN></P> Thu, 27 Jul 2017 10:33:52 GMT https://community.cisco.com/t5/network-security/how-to-check-dead-connection-detection-is-enabled-or-not-in-asa/m-p/3095601#M133718 Aditya Ganjoo 2017-07-27T10:33:52Z https://community.cisco.com/t5/network-security/how-to-check-dead-connection-detection-is-enabled-or-not-in-asa/m-p/3095602#M133719 <P>Hi Aditya,<BR /><BR />Thanks for your quick replies.</P> <P></P> <P>Actually, we have a VPN Tunnel between our DC and the client location. previously everything working fine. 20days back my client has changed their firewall. Then onwards we are facing some packet loss issue and sometimes we are able to telnet their&nbsp;<G class="gr_ gr_303 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" id="303" data-gr-id="303">ips</G> and some times not able connect to their <G class="gr_ gr_465 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" id="465" data-gr-id="465">ips</G> through vpn tunnel. In <G class="gr_ gr_920 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" id="920" data-gr-id="920">asa</G>&nbsp;logs, I have&nbsp;observed syn timeout problem. but the client is saying everything fine at their end, they suspected some problem with my DC firewall configuration.</P> <P>Now,&nbsp;he is asking about Dead Connection Detection is enabled or not, if it enabled what is the setting you did in your firewall.</P> <P><BR />If it's a VPN-Tunnel then it's a Dead Peer Detection right. but my client is asking about Dead Connection Detection. I am confused to reply my client mail.&nbsp;<BR /><BR />so I am thinking to share both DCD and DPD settings to my client.<BR /><BR />can you please suggest me what is the correct reply to my client.<BR /><BR />Thanks,<BR />sankar</P> Thu, 27 Jul 2017 11:03:47 GMT https://community.cisco.com/t5/network-security/how-to-check-dead-connection-detection-is-enabled-or-not-in-asa/m-p/3095602#M133719 sankar.ramoju 2017-07-27T11:03:47Z