Dear Marvin,

I think DPD only use for vpn. We have applications  go through FTD with long duration session. I need DCD for better control the application, at least  we we want function that firewall will sent both side (inside & outside) to reset connection after session timeout. I hope FTD have this function like ASA.

Is FTD just clear connection after session timeout ?

Thank you.

Yes - DPD is for VPN.

For session timeout we can modify timeout values via a platform policy as of FTD 6.2.1 and later.

https://www.cisco.com/c/en/us/td/docs/security/firepower/622/configuration/guide/fpmc-config-guide-v622/platform_settings_for_firepower_threat_defense.html#task_E490D7557C8C410F8CFD4D04EB07A450

Thanks  for your usefull info, I try to config dcd with flexconfig

I have open a TAC case, dcd can config through flexconfig

I'd like to dig a little deeper into this. DPD might be supported, but I recently set up two VPN tunnels to non-Cisco devices that both were set to restart the tunnels upon DPD failing to receive responses. About 200 seconds in, the tunnels would be reset until we disabled DPD on the remote end. Cisco seems to use opensource charon, which is employed by the StrongSwan, and doesn't seem to work well with DPD. Is it possible that as of 6.5.0 FTD code Cisco has stopped DPD support?

Hi,

   Most probably it's using the legacy keepalive mechanism which is incompatible with DPD. See if flexconfig lets you configure DPD. Otherwise, with DPD, it's good enough to have it configured on one side, failover will still occur, in case you get stucked.

Regards,

Cristian Matei.