Hi 

thanks for your reply 

this is a site to site vpn not remote access so does above still apply?

would it be the default gp?

Group-policies are applied to all kind of VPNs, also to site-2-site.

You can apply a specific GP to this VPN, or change the default GP. Changing the default GP will have effect on all your other VPNs also.

Hi,

Thanks for this. Isn't keepalive meant to be doing this ?

would the keep alive packets be sent from public to public or from private to private behind each firewall?

> Isn't keepalive meant to be doing this ?

doesn't need to be that way. it can also enable DPD instead of periodic keepalives. That is different depending on platform, version and config-mode.

Sure what I am asking is isn't keepalive meant to keep the connection on ?

on ASA you don't have DPD and have periodic keepalive and my understanding is that is used to keep the connection on but it doesn't so what is its use.

I can't see what it provides apart from detecting peer is dead and killing the connection

you are a legend by the way as that fixed it but still don't understand the role of keepalive

The ASA can do DPD. But it all depends on many factors. But regardless of keepalives, DPD and so on, the ASA uses a default idle-timeout of 30 Minutes. And that's what needs to be switched off.

do you know the command for DPD on asa ?

I get the idea that vpn session timeout is the one that is used but then what is keep alive used for . is it not to do the same thing and send packets and ensure both sides do get it ?

This is the output from debugging which shows R-U-There is received and sent back but still...

also when receiving and sending it looks as the group and ip stays the same ( i have changed th IP to not disclose any public ips)

Oct 09 2015 10:33:38: %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing hash payload
Oct 09 2015 10:33:38: %ASA-7-715047: Group = 1.1.1.1, IP = 1.1.1.1, processing notify payload
Oct 09 2015 10:33:38: %ASA-7-715075: Group = 1.1.1.1, IP = 1.1.1.1, Received keep-alive of type DPD R-U-THERE (seq number 0x44f7d33e)
Oct 09 2015 10:33:38: %ASA-7-715036: Group = 1.1.1.1, IP = 1.1.1.1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x44f7d33e)
Oct 09 2015 10:33:38: %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing blank hash payload
Oct 09 2015 10:33:38: %ASA-7-715046: Group = 1.1.1.1, IP = 1.1.1.1, constructing qm hash payload
Oct 09 2015 10:33:38: %ASA-7-713236: IP = 1.1.1.1, IKE_DECODE SENDING Message (msgid=42d738f5) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 80

DPD is typically controlled in the ipsec-section of the tunnel-group. Keepalives were used to keep the session up when they were not implemented as DPD long time ago. Nowadays it's more a traffic-management-feature that gives a peer the info that it's not worth to still send traffic or keep the session up if the peer is not responding.

sure so we are saying that keepalive is not subject to the crypto policy and does not count as traffic being sent between the two peers?

is it purely there to find if remote host is dead rather than keep sending traffic to keep the connection up.

sorry if I am going to deep but I don't understand why it is called keepalive and people say it is there to keep connection up yet it does nothing to keep the connection up