Configure dead peer detection in Cisco ASA firewall

Before Implementing dead peer detection in Cisco ASA firewall, you must understand What is dead peer detection (DPD)? and how it function. follow below post to understand dead peer detection in detail.

What is Dead Peer Detection (DPD)?
Configure dead peer detection in Cisco router.

ASA and PIX firewalls support “semi-periodic” DPD only. I.e. they send R-U-THERE message to a peer if the peer was idle for <threshold> seconds. ASA may have nothing to send to the peer, but DPD is still sent if the peer is idle. If the VPN session is completely idle the R-U-THERE messages are sent every <threshold> seconds. If there is a traffic coming from the peer the R-U-THERE messages are not sent.

Unlike routers, you can completely disable DPD on ASA and it will not negotiate it with a peer (“disable” configuration option).

Also, you can configure “one-way” DPD mode on ASA. The ASA will respond to R-U-THERE messages, but will not initiate DPD exchange (“threshold infinite” configuration option).

isakmp keepalive {disable | threshold <threshold> retry <retry-interval> | threshold infinite}

If the peer doesn’t respond with the R-U-THERE-ACK the ASA starts retransmitting R-U-THERE messages every <retry-interval> seconds with a maximum of three retransmissions. After that the peer is declared dead.

You cannot specify the number of retries on ASA.

DPD is enabled by default on ASA for both L2L and RA IPSec:

tunnel-group DefaultL2LGroup ipsec-attributes
 isakmp keepalive threshold 10 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 300 retry 2

In brief, on ASA we have the following:

  • only “semi-periodic” DPD is supported
  • DPD can be completely disabled
  • one-way mode is supported
  • bidirectional mode is the default one
  • retry interval can be configured
  • retry count cannot be configured and equals to three