Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1972
Views
0
Helpful
4
Replies

How to check Dead connection Detection is enabled or not in asa firewall

sankar.ramoju
Level 1
Level 1

‎07-27-2017 03:04 AM - edited ‎03-12-2019 06:16 PM

Hi,

please share me the command to check Dead Connection Detection is enabled or not in ASA firewall.

Thnaks
sankar

Labels:
0 Helpful
4 Replies 4

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-27-2017 03:16 AM

Hi Sankar,

You need to check the output of show service-policy from the ASA to see of DCD is in effect.

More info:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/conns_connlimits.html#wp1080752

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

sankar.ramoju
Level 1
Level 1
In response to Aditya Ganjoo

‎07-27-2017 03:24 AM

Hi Suresh,

Thanks for the quick reply.

actually, i got a mail from my client.

" would you ask your network guys to check the DCD (Dead Connection Detection) config on your firewall at the DC end of the VPN Tunnel - e.g. has DCD been enabled, and if so what is the setting 

 ".

which output should I give to my client?

Thnaks,
sankar

0 Helpful

Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to sankar.ramoju

‎07-27-2017 03:33 AM

Hi Sankar,

My name is Aditya :)

To check this you would need to go the tunnel group config of the VPN peer.

sh run all tunnel-group <IP>

Check the ipsec-attributes and it will show you the keepalive (DPD) values.

Regards,

Aditya

Please rate helpful and mark correct answers

0 Helpful

sankar.ramoju
Level 1
Level 1
In response to Aditya Ganjoo

‎07-27-2017 04:03 AM

Hi Aditya,

Thanks for your quick replies.

Actually, we have a VPN Tunnel between our DC and the client location. previously everything working fine. 20days back my client has changed their firewall. Then onwards we are facing some packet loss issue and sometimes we are able to telnet their ips and some times not able connect to their ips through vpn tunnel. In asa logs, I have observed syn timeout problem. but the client is saying everything fine at their end, they suspected some problem with my DC firewall configuration.

Now, he is asking about Dead Connection Detection is enabled or not, if it enabled what is the setting you did in your firewall.


If it's a VPN-Tunnel then it's a Dead Peer Detection right. but my client is asking about Dead Connection Detection. I am confused to reply my client mail. 

so I am thinking to share both DCD and DPD settings to my client.

can you please suggest me what is the correct reply to my client.

Thanks,
sankar

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card