Enabling And Adjusting Dead Peer Detection - Cisco 5505 - ASA Firewall Edition Bundle Administrator's Manual

Administration guide

Hide thumbs Also See for 5505 - ASA Firewall Edition Bundle:

Configuration manual (1822 pages)

Getting started manual (168 pages)

Hardware installation manual (82 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

page of 118

/ 118
Contents
Table of Contents
Bookmarks

Table of Contents

Chapter 6

Configuring AnyConnect Features Using CLI

method new-tunnel specifies that the client establishes a new tunnel during rekey.

method none disables rekey.

method ssl specifies that SSL renegotiation takes place during rekey.

time minutes specifies the number of minutes from the start of the session or from the last rekey until

the next rekey takes place, from 1 to 10080 (1 week).

In the following example, the client is configured to renegotiate with SSL during rekey, which takes

place 30 minutes after the session begins, for the existing group-policy sales:

hostname(config)# group-policy sales attributes

hostname(config-group-policy)# webvpn

hostname(config-group-policy)# svc rekey method ssl

hostname(config-group-policy)# svc rekey time 30

Note

The security appliance does not currently support inline DTLS rekey. The AnyConnect client, therefore,

treats all DTLS rekey events as though they were of the new tunnel method instead of the inline ssl type

(CSC93610).

Enabling and Adjusting Dead Peer Detection

Dead Peer Detection (DPD) ensures that the security appliance (gateway) or the client can quickly detect

a condition where the peer is not responding, and the connection has failed.

When using the AnyConnect client with DTLS on security appliance, Dead Peer Detection must be

Note

enabled in the group policy on the ASA to allow the AnyConnect client to fall back to TLS, if necessary.

Fallback to TLS occurs if the AnyConnect client cannot send data over the UPD/DTLS session, and the

DPD mechanism is necessary for fallback to occur.

To enable DPD on the security appliance or client for a specific group or user, and to set the frequency

with which either the security appliance or client performs DPD, use the svc dpd-interval command

from group-policy or username webvpn mode:

Where:

The following example sets the frequency of DPD performed by the security appliance to 30 seconds,

and the frequency of DPD performed by the client set to 10 seconds for the existing group-policy sales:

hostname(config)# group-policy sales attributes

OL-12950-012

[no] svc rekey {method {new-tunnel | none | ssl} | time minutes}

svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}

no svc dpd-interval {[gateway {seconds | none}] | [client {seconds | none}]}

gateway seconds enables DPD performed by the security appliance (gateway) and specifies the

frequency, from 30 to 3600 seconds, with which the security appliance (gateway) performs DPD.

gateway none disables DPD performed by the security appliance.

client seconds enable DPD performed by the client, and specifies the frequency, from 30 to 3600

seconds, with which the client performs DPD.

client none disables DPD performed by the client.

To remove the svc dpd-interval command from the configuration, use the no form of the command:

Configuring, Enabling, and Using Other AnyConnect Features

Cisco AnyConnect VPN Client Administrator Guide

6-7

Table of Contents

Enabling And Adjusting Dead Peer Detection - Cisco 5505 - ASA Firewall Edition Bundle Administrator's Manual

Enabling and Adjusting Dead Peer Detection

Related Manuals for Cisco 5505 - ASA Firewall Edition Bundle

Related Content for Cisco 5505 - ASA Firewall Edition Bundle

Table of Contents