diff --git a/CHANGES b/CHANGES
index 49fe0926dd1ffb178a2ddffd2c288899a7105019..bc08483a030e264d2f143a05c2f76bf38a474bc5 100644
--- a/CHANGES
+++ b/CHANGES
@@ -3,6 +3,7 @@ OpenLDAP 2.4 Change Log
 OpenLDAP 2.4.22 Engineering
 	Added slapd SLAP_SCHEMA_EXPOSE flag for hidden schema elements (ITS#6435)
 	Added slapd tools selective iterations (ITS#6442)
+	Added slapd syncrepl TCP keepalive (ITS#6389)
 	Added slapo-ldap idassert-passthru (ITS#6456)
 	Added slapo-pbind
 	Fixed libldap GnuTLS serial length (ITS#6460)
diff --git a/doc/man/man5/slapd-config.5 b/doc/man/man5/slapd-config.5
index 7d136e5700e9646d25cefa832ea1fcde900db5e7..5048a8a9968d8530cfef1c50e8a1d3473b4a28bd 100644
--- a/doc/man/man5/slapd-config.5
+++ b/doc/man/man5/slapd-config.5
@@ -1661,6 +1661,7 @@ FALSE, meaning the contextCSN is stored in the context entry.
 .B [credentials=<passwd>]
 .B [realm=<realm>]
 .B [secprops=<properties>]
+.B [keepalive=<idle>:<probes>:<interval>]
 .B [starttls=yes|critical]
 .B [tls_cert=<file>]
 .B [tls_key=<file>]
@@ -1802,6 +1803,22 @@ should grant that identity appropriate access privileges to the data
 that is being replicated (\fBaccess\fP directive), and appropriate time 
 and size limits (\fBlimits\fP directive).
 
+The
+.B keepalive
+parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
+used to check whether a socket is alive;
+.I idle
+is the number of seconds a connection needs to remain idle before TCP 
+starts sending keepalive probes;
+.I probes
+is the maximum number of keepalive probes TCP should send before dropping
+the connection;
+.I interval
+is interval in seconds between individual keepalive probes.
+Only some systems support the customization of these values;
+the
+.B keepalive
+parameter is ignored otherwise, and system-wide settings are used.
 
 The
 .B starttls
diff --git a/doc/man/man5/slapd.conf.5 b/doc/man/man5/slapd.conf.5
index ddc3136d166bb1ca8166c32262426dc911ff47cf..121761070620620ac00bfed41a18014137e9bc8e 100644
--- a/doc/man/man5/slapd.conf.5
+++ b/doc/man/man5/slapd.conf.5
@@ -1647,6 +1647,7 @@ the contextCSN is stored in the context entry.
 .B [credentials=<passwd>]
 .B [realm=<realm>]
 .B [secprops=<properties>]
+.B [keepalive=<idle>:<probes>:<interval>]
 .B [starttls=yes|critical]
 .B [tls_cert=<file>]
 .B [tls_key=<file>]
@@ -1807,6 +1808,23 @@ and \fBtimelimit\fP, or by setting an appropriate \fBlimits\fP statement
 in the consumer's configuration (see \fBsizelimit\fP and \fBlimits\fP
 for details).
 
+The
+.B keepalive
+parameter sets the values of \fIidle\fP, \fIprobes\fP, and \fIinterval\fP
+used to check whether a socket is alive;
+.I idle
+is the number of seconds a connection needs to remain idle before TCP 
+starts sending keepalive probes;
+.I probes
+is the maximum number of keepalive probes TCP should send before dropping
+the connection;
+.I interval
+is interval in seconds between individual keepalive probes.
+Only some systems support the customization of these values;
+the
+.B keepalive
+parameter is ignored otherwise, and system-wide settings are used.
+
 The
 .B starttls
 parameter specifies use of the StartTLS extended operation
diff --git a/servers/slapd/config.c b/servers/slapd/config.c
index bc1e4b486bce10372e4f21d08505b4c199e40d30..c18ed041fd028971b2904ba996515969f8e8eba3 100644
--- a/servers/slapd/config.c
+++ b/servers/slapd/config.c
@@ -303,8 +303,8 @@ int config_check_vals(ConfigTable *Conf, ConfigArgs *c, int check_only ) {
 				break;
 		}
 		j = (arg_type & ARG_NONZERO) ? 1 : 0;
-		if(iarg < j && larg < j && barg < j ) {
-			larg = larg ? larg : (barg ? barg : iarg);
+		if(iarg < j && larg < j && barg < (unsigned)j ) {
+			larg = larg ? larg : (barg ? (long)barg : iarg);
 			snprintf( c->cr_msg, sizeof( c->cr_msg ), "<%s> invalid value",
 				c->argv[0] );
 			Debug(LDAP_DEBUG_ANY|LDAP_DEBUG_NONE, "%s: %s\n",
@@ -1234,6 +1234,92 @@ slap_sb_uri(
 	return 0;
 }
 
+static int 
+slap_keepalive_parse(
+	struct berval *val,
+	void *bc,
+	slap_cf_aux_table *tab0,
+	const char *tabmsg,
+	int unparse )
+{
+	if ( unparse ) {
+		slap_keepalive *sk = (slap_keepalive *)bc;
+		int rc = snprintf( val->bv_val, val->bv_len, "%d:%d:%d",
+			sk->sk_idle, sk->sk_probes, sk->sk_interval );
+		if ( rc < 0 ) {
+			return -1;
+		}
+
+		if ( (unsigned)rc >= val->bv_len ) {
+			return -1;
+		}
+
+		val->bv_len = rc;
+
+	} else {
+		char *s = val->bv_val;
+		char *next;
+		slap_keepalive *sk = (slap_keepalive *)bc;
+		slap_keepalive sk2;
+
+		if ( s[0] == ':' ) {
+			sk2.sk_idle = 0;
+			s++;
+			
+		} else {
+			sk2.sk_idle = strtol( s, &next, 10 );
+			if ( next == s || next[0] != ':' ) {
+				return -1;
+			}
+
+			if ( sk2.sk_idle < 0 ) {
+				return -1;
+			}
+
+			s = ++next;
+		}
+
+		if ( s[0] == ':' ) {
+			sk2.sk_probes = 0;
+			s++;
+
+		} else {
+			sk2.sk_probes = strtol( s, &next, 10 );
+			if ( next == s || next[0] != ':' ) {
+				return -1;
+			}
+
+			if ( sk2.sk_probes < 0 ) {
+				return -1;
+			}
+
+			s = ++next;
+		}
+
+		if ( s == '\0' ) {
+			sk2.sk_interval = 0;
+			s++;
+
+		} else {
+			sk2.sk_interval = strtol( s, &next, 10 );
+			if ( next == s || next[0] != '\0' ) {
+				return -1;
+			}
+
+			if ( sk2.sk_interval < 0 ) {
+				return -1;
+			}
+		}
+
+		*sk = sk2;
+
+		ber_memfree( val->bv_val );
+		BER_BVZERO( val );
+	}
+
+	return 0;
+}
+
 static slap_cf_aux_table bindkey[] = {
 	{ BER_BVC("uri="), 0, 'x', 1, slap_sb_uri },
 	{ BER_BVC("version="), offsetof(slap_bindconf, sb_version), 'i', 0, versionkey },
@@ -1247,10 +1333,11 @@ static slap_cf_aux_table bindkey[] = {
 	{ BER_BVC("realm="), offsetof(slap_bindconf, sb_realm), 'b', 0, NULL },
 	{ BER_BVC("authcID="), offsetof(slap_bindconf, sb_authcId), 'b', 1, NULL },
 	{ BER_BVC("authzID="), offsetof(slap_bindconf, sb_authzId), 'b', 1, (slap_verbmasks *)authzNormalize },
+	{ BER_BVC("keepalive="), offsetof(slap_bindconf, sb_keepalive), 'x', 0, (slap_verbmasks *)slap_keepalive_parse },
 #ifdef HAVE_TLS
-	/* NOTE: replace "12" with the actual index
+	/* NOTE: replace "13" with the actual index
 	 * of the first TLS-related line */
-#define aux_TLS (bindkey+12)	/* beginning of TLS keywords */
+#define aux_TLS (bindkey+13)	/* beginning of TLS keywords */
 
 	{ BER_BVC("starttls="), offsetof(slap_bindconf, sb_tls), 'i', 0, tlskey },
 	{ BER_BVC("tls_cert="), offsetof(slap_bindconf, sb_tls_cert), 's', 1, NULL },
@@ -1354,6 +1441,20 @@ slap_cf_aux_table_parse( const char *word, void *dst, slap_cf_aux_table *tab0, L
 				rc = lutil_atoulx( ulptr, val, 0 );
 				break;
 
+			case 'x':
+				if ( tab->aux != NULL ) {
+					struct berval value;
+					slap_cf_aux_table_parse_x *func = (slap_cf_aux_table_parse_x *)tab->aux;
+
+					ber_str2bv( val, 0, 1, &value );
+
+					rc = func( &value, (void *)((char *)dst + tab->off), tab, tabmsg, 0 );
+
+				} else {
+					rc = 1;
+				}
+				break;
+
 			case 'x':
 				if ( tab->aux != NULL ) {
 					struct berval value;
@@ -1485,6 +1586,26 @@ slap_cf_aux_table_unparse( void *src, struct berval *bv, slap_cf_aux_table *tab0
 			}
 			break;
 
+		case 'x':
+			*ptr++ = ' ';
+			ptr = lutil_strcopy( ptr, tab->key.bv_val );
+			if ( tab->quote ) *ptr++ = '"';
+			if ( tab->aux != NULL ) {
+				struct berval value;
+				slap_cf_aux_table_parse_x *func = (slap_cf_aux_table_parse_x *)tab->aux;
+				int rc;
+
+				value.bv_val = ptr;
+				value.bv_len = buf + sizeof( buf ) - ptr;
+
+				rc = func( &value, (void *)((char *)src + tab->off), tab, "(unparse)", 1 );
+				if ( rc == 0 ) {
+					ptr += value.bv_len;
+				}
+			}
+			if ( tab->quote ) *ptr++ = '"';
+			break;
+
 		default:
 			assert( 0 );
 		}
@@ -1799,6 +1920,18 @@ slap_client_connect( LDAP **ldp, slap_bindconf *sb )
 		ldap_set_option( ld, LDAP_OPT_NETWORK_TIMEOUT, &tv );
 	}
 
+	if ( sb->sb_keepalive.sk_idle ) {
+		ldap_set_option( ld, LDAP_OPT_X_KEEPALIVE_IDLE, &sb->sb_keepalive.sk_idle );
+	}
+
+	if ( sb->sb_keepalive.sk_probes ) {
+		ldap_set_option( ld, LDAP_OPT_X_KEEPALIVE_PROBES, &sb->sb_keepalive.sk_probes );
+	}
+
+	if ( sb->sb_keepalive.sk_interval ) {
+		ldap_set_option( ld, LDAP_OPT_X_KEEPALIVE_INTERVAL, &sb->sb_keepalive.sk_interval );
+	}
+
 #ifdef HAVE_TLS
 	if ( sb->sb_tls_do_init ) {
 		rc = bindconf_tls_set( sb, ld );
diff --git a/servers/slapd/slap.h b/servers/slapd/slap.h
index 8e37d089490b789e2d13f853d73b42753ed00dc5..0c02b00d116b877571e8d157ef125434f47082b4 100644
--- a/servers/slapd/slap.h
+++ b/servers/slapd/slap.h
@@ -1592,6 +1592,12 @@ LDAP_SLAPD_V (int) slapMode;
 #define SB_TLS_ON		1
 #define SB_TLS_CRITICAL		2
 
+typedef struct slap_keepalive {
+	int sk_idle;
+	int sk_probes;
+	int sk_interval;
+} slap_keepalive;
+
 typedef struct slap_bindconf {
 	struct berval sb_uri;
 	int sb_version;
@@ -1606,6 +1612,7 @@ typedef struct slap_bindconf {
 	struct berval sb_realm;
 	struct berval sb_authcId;
 	struct berval sb_authzId;
+	slap_keepalive sb_keepalive;
 #ifdef HAVE_TLS
 	void *sb_tls_ctx;
 	char *sb_tls_cert;
@@ -1635,6 +1642,14 @@ typedef struct slap_cf_aux_table {
 	void *aux;
 } slap_cf_aux_table;
 
+typedef int 
+slap_cf_aux_table_parse_x LDAP_P((
+	struct berval *val,
+	void *bc,
+	slap_cf_aux_table *tab0,
+	const char *tabmsg,
+	int unparse ));
+
 typedef int 
 slap_cf_aux_table_parse_x LDAP_P((
 	struct berval *val,