> I would add a third reason for heartbeats/keepalives. To be able to do accurate > accounting the SG needs to know within a reasonable time that the client has > disconnected. I just re-read the ipsec and ipsra charters and saw no mention of accounting as required functionality.. - Bill