Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1037
Views
0
Helpful
2
Replies

VPN DPD on ASA ios v 8.6.1

taurusadnan
Level 1
Level 1

‎10-31-2013 10:49 AM

Hello to every one:-

1)i want to know the show command to verify the DPD on ASAs. i tried couple of commands but unable to findout DPD is enable on my ASA.

2) when i try to enable the DPD on ASA the old commands was below.

tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2

but on my ASA their is no command as specify above to enable isakmp DPD.

My ASA shows me.

ASA(config)# tunnel-group x.x.x.x ipsec-attributes

ASA(config-tunnel-ipsec)# isakmp ?

tunnel-group-ipsec mode commands/options:

  keepalive  Configure ISAKMP keepalives

configure mode commands/options:

  disconnect-notify  Enable disconnect notification to peers

  identity           Set identity type (address, hostname or key-id)

  nat-traversal      Enable and configure nat-traversal

  reload-wait        Wait for voluntary termination of existing connections before reboot

ASA(config-tunnel-ipsec)# isakmp disconnect-notify

1)The isakmp disconnect-notify looks like new command to enable DPD on ASA??

2) anyone please let me know if their is any show command available to check the DPD is enable......??

Thanks a lot

Labels:
0 Helpful
2 Replies 2

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-31-2013 12:27 PM

If in doubt whether command is enebaled by default on ASA use the "all" modifier when doing show run.

From ASA 9.0

# sh run all tunnel-group 6.1.2.2 ipsec-attributes
tunnel-group 6.1.2.2 type ipsec-l2l
tunnel-group 6.1.2.2 ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate req
 no chain
 no ikev1 trust-point
 isakmp keepalive threshold 10 retry 2
 no ikev2 remote-authentication
 no ikev2 local-authentication

From ASA 8.4

bsns-asa5505-19# sh run all tunnel-group BERN ipsec-attributes
tunnel-group BERN type remote-access
tunnel-group BERN ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate req
 no chain
 no ikev1 trust-point
 no ikev1 radius-sdi-xauth
 isakmp keepalive threshold 300 retry 2
 ikev1 user-authentication xauth
 no ikev2 remote-authentication
 no ikev2 local-authentication
0 Helpful

taurusadnan
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-31-2013 01:02 PM

i think DPD is enable by default and your command helps and now i can see isakmp keepalive commands under tunnel group.

but if i want to modiy it the config and type (? make)  after isakmp no keepalive option popin. four options available its define below.

ASA(config)# tunnel-group x.x.x.x ipsec-attributes

ASA(config-tunnel-ipsec)# isakmp ?

tunnel-group-ipsec mode commands/options:

keepalive Configure ISAKMP keepalives

configure mode commands/options:

disconnect-notify                            Enable disconnect notification to peers

identity                                                Set identity type (address, hostname or key-id)

nat-traversal                                      Enable and configure nat-traversal

reload-wait                                          Wait for voluntary termination of existing connections before reboot

ASA(config-tunnel-ipsec)# isakmp disconnect-notify

its look like isakmp keepalive command no more avaible or replace by isakmp disconnect-notify.. 

i am using 8.6.1 version of ios

0 Helpful
Customers Also Viewed These Support Documents