Enabling and adjusting dead peer detection – Cisco ASA 5505 User Manual

75-15

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 75 Configuring AnyConnect VPN Client Connections

Configuring AnyConnect Connections

Note

Configuring the rekey method as ssl or new-tunnel specifies that the client establishes a new
tunnel during rekey instead of the SSL renegotiation taking place during the rekey. See the

Cisco

ASA 5500 Series Command Reference, 8.4

for a history of the anyconnect ssl rekey command.

time minutes specifies the number of minutes from the start of the session, or from the last rekey, until
the rekey takes place, from 1 to 10080 (1 week).

In the following example, the client is configured to renegotiate with SSL during rekey, which takes
place 30 minutes after the session begins, for the existing group-policy sales:

hostname(config)# group-policy sales attributes

hostname(config-group-policy)# webvpn

hostname(config-group-webvpn)# anyconnect ssl rekey method ssl

hostname(config-group-webvpn)# anyconnect ssl rekey time 30

Enabling and Adjusting Dead Peer Detection

Dead Peer Detection (DPD) ensures that the ASA (gateway) or the client can quickly detect a condition
where the peer is not responding, and the connection has failed.

To enable DPD on the ASA or client for a specific group or user, and to set the frequency with which
either the ASA or client performs DPD, use the anyconnect dpd-interval command from group-policy
or username webvpn mode:

anyconnect dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}

Where:

gateway seconds enables DPD performed by the ASA (gateway) and specifies the frequency, from 5 to
3600 seconds, with which the ASA (gateway) performs DPD.

gateway none disables DPD performed by the ASA.

client seconds enable DPD performed by the client, and specifies the frequency, from 5 to 3600 seconds,
with which the client performs DPD.

client none disables DPD performed by the client.

To remove the anyconnect dpd-interval command from the configuration, use the no form of the
command:

no anyconnect dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}

Note

If you enable DTLS, enable Dead Peer Detection (DPD) also. DPD enables a failed DTLS connection
to fallback to TLS. Overwise, the connection terminates.

The following example sets the frequency of DPD performed by the ASA to 30 seconds, and the
frequency of DPD performed by the client set to 10 seconds for the existing group-policy sales:

hostname(config)# group-policy sales attributes

hostname(config-group-policy)# webvpn

hostname(config-group-webvpn)# anyconnect dpd-interval gateway 30

hostname(config-group-webvpn)# anyconnect dpd-interval client 10