VPN and Firewalls: DPD and SA messages causing loss of sessions.

babylon5 · ‎10-14-2005

If there are firewalls between the user with a Cisco VPN Client and a the central site with a VPN 3000 Concentrator, could some setting the firewall prevent the user from maintaning a session over a long period of time. Is there some mechanism in the session tracking that might prevent Keepalive/DPD messages from properly getting through and therefore cause the session to drop.

This problem can usually be traced to a certain group using VPN from a certain place. In other words, most users are very happy with VPN, but there is a vocal minority that is having chronic issues.

I currently have a ticket open with Cisco regarding session being lost and the only clue is that the DPD messages don't appear to get through or the SA between devices gets hosed.

Anybody else having an issue like this?

babylon5 · ‎10-14-2005

FYI: I have set the Peer Response Timeout to 480 on the clients and the keepalives for 300 on the concentrator.

My reason for disconnects in logs from the client usually look something like this:

681 14:35:39.543 10/13/05 Sev=Info/4 IKE/0x63000057

Received an ISAKMP message for a non-active SA, I_Cookie=3BAEFEECEB6F0DF2 R_Cookie=6FC6F1B021E9E6DF

or

281 10:12:45.616 10/13/05 Sev=Info/4 IKE/0x6300004B

Discarding IKE SA negotiation (I_Cookie=021901D549D6A384 R_Cookie=21D4D60B026D577F) reason = DEL_REASON_PEER_NOT_RESPONDING

282 10:12:45.616 10/13/05 Sev=Info/4 CM/0x63100013

Phase 1 SA deleted cause by DEL_REASON_PEER_NOT_RESPONDING. 0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

===================================================

Thanks.

babylon5 · ‎10-19-2005

Based on the changes made to our firewall ruleset to set the session-timeout of client/concentrator communication to two hours and allow the firewall to see ICMP as interesting traffic, the user problems have gone away.

We feel that we have corrected the user issue.