isakmp keepalive threshold infinite vs. isakmp keepalive disable

stownsend · ‎08-24-2015

What is the Difference between the Following tunnel-group <name> ipsec-attributes

isakmp keepalive threshold infinite

vs.

isakmp keepalive disable

I started with the 'isakmp keepalive threshold infinite' and it sure kept the tunnel up, though at some point it stopped passing traffic and I had to logout the session for the traffic to flow again. 

So I'm worried to use the 'isakmp keep alive disable' and have it have the same effect.

Thanks you

Dinesh Moudgil · ‎08-25-2015

Hello stownsend,

isakmp keepalive threshold infinite
This configures "one-way" DPD mode on ASA. The ASA will respond to R-U-THERE messages, but will not initiate DPD exchange.

isakmp keepalive disable
This will completely disable DPD on ASA and it will not negotiate it with a peer.

Source:-
DPD : https://supportforums.cisco.com/document/32546/dead-peer-detection

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

stownsend · ‎08-25-2015

I had set isakmp keepalive threshold infinite on both the head end and the remote, so that would seem like that would be the same as isakmp keepalive disable on either end?

I'm asking because I've tried the isakmp keepalive threshold infinite command and that didn't work well at all. I've been asked to use the isakmp keepalive disable command. If it is going to do the same thing I don't want to risk taking down the remote site again.

Thank you,

Dinesh Moudgil · ‎08-25-2015

Setting isakmp to "infinite" on both sides is equivalent to disabling them as both sides will not initiate DPDs but will expect other side to send DPDs which is not going to occur eventually.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/