Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2018
Views
0
Helpful
1
Replies

IKEV2 VPN drops due to Dead Peer Detection response failure.

Gordypops1988
Level 1
Level 1

‎04-17-2020 03:42 AM - edited ‎04-17-2020 04:02 AM

Hi, in our network we have a fleet of ASA's  (Cisco virtual ASAv30 appliances) deployed on Amazon Web Services for a IKev2 Remote Access VPN, devices connect to these via a load-balancer that evenly distributes traffic and has a connection persistence of several hours so that you remain on the same ASA.

 

We have 2 environments, Prod and Pre-Prod which share identical topology and configuration settings.

 

Remote devices are MDM managed and have an Always-On VPN profile deployed that connects automatically when the device is turned on.

 

The issue were experiencing is related to Dead Peer Detection, on the mobile devices after 10 minutes of a connection being established it does a DPD check with 5 retires, this is inline with the VPN profile that is deployed to the handset.

 

On the ASA via a packet capture we see the 5 INFORMATION Initiator request packets land but we dont see any Response packets being sent from the ASA back to the handset, as seen here.

image001.jpg

 

 

The tunnel is then pulled down by the the device and then recreated again, potentially back to the same ASA due to the persistence on the load-balancer. This has a detrimental impact on voice and video calls as when this happens the call is dropped.

 

This behavior doesn't affect the Pre-Prod environment it only affects the Production environment and the configurations are identical baring some IP differences between the 2 VPC's.

 

Looking for some guidance on what might be causing the ASA to not respond back to the Request packet from the client with a Response packet.

 

Thanks

Labels:
0 Helpful
1 Reply 1

Sheraz.Salim
VIP
VIP

‎04-19-2020 03:09 AM

need more information why this issue is occurring. could you share the wireshark and the syslogs.

logging enable
logging list VPN message 713049
logging list VPN message 713050
logging list VPN message 113019
logging trap VPN
logging host [interface name] [Syslog’s IP]
please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents