Enabling and adjusting dead peer detection – Cisco ASA 5505 User Manual
Page 1725
 
75-15
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 75 Configuring AnyConnect VPN Client Connections
Configuring AnyConnect Connections
Note
Configuring the rekey method as ssl or new-tunnel
ASA 5500 Series Command Reference, 8.4
for a history of the anyconnect ssl rekey command.
time minutes specifies the number of minutes from the start of the session, or from the last rekey, until 
the rekey takes place, from 1 to 10080 (1 week).
In the following example, the client is configured to renegotiate with SSL during rekey, which takes 
place 30 minutes after the session begins, for the existing group-policy sales:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# anyconnect ssl rekey method ssl
hostname(config-group-webvpn)# anyconnect ssl rekey time 30
Enabling and Adjusting Dead Peer Detection
Dead Peer Detection (DPD) ensures that the ASA (gateway) or the client can quickly detect a condition 
where the peer is not responding, and the connection has failed.
To enable DPD on the ASA or client for a specific group or user, and to set the frequency with which 
either the ASA or client performs DPD, use the  anyconnect dpd-interval command from group-policy 
or username webvpn mode:
anyconnect dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}
Where:
gateway seconds enables DPD performed by the ASA (gateway) and specifies the frequency, from 5 to 
3600 seconds, with which the ASA (gateway) performs DPD.
gateway none disables DPD performed by the ASA.
client seconds enable DPD performed by the client, and specifies the frequency, from 5 to 3600 seconds, 
with which the client performs DPD.
client none disables DPD performed by the client.
To remove the anyconnect dpd-interval command from the configuration, use the no form of the 
command:
no anyconnect dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}
Note
If you enable DTLS, enable Dead Peer Detection (DPD) also. DPD enables a failed DTLS connection 
to fallback to TLS. Overwise, the connection terminates.
The following example sets the frequency of DPD performed by the ASA to 30 seconds, and the 
frequency of DPD performed by the client set to 10 seconds for the existing group-policy sales:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# anyconnect dpd-interval gateway 30
hostname(config-group-webvpn)# anyconnect dpd-interval client 10