dpd has no effect when using iOS anyconnect
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Jan 25 01:10:09 PST 2015
On Sun, 2015-01-25 at 15:50 +0800, David Frank wrote:
> Another fine-print from AnyConnect (not the iOS version, but the general FAQ):
>
> http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html#anc7
>
> Since DPDs are enabled by default, customers might often get
> disconnected due to flows closing in one direction with Network
> Address Translation (NAT), Firewall and Proxy devices. Enabling
> keepalives at low intervals, such as 20 seconds, helps to prevent
> this.
> This is weird, because ocserv doc suggests using low DPD number to
> keep connection alive through NAT. While keepalive is set to a large
> value.
Ocserv defines session differently than cisco's servers. In ocserv the
session depends on the TCP (CSTP) part of the connection. The DTLS part
can re-establish/reconnect, multiple times, under the same session.
If the TCP session is down for whatever reason, it has 'cookie-timeout'
seconds to re-establish itself. After that it ceases to exist,
irrespective of the reason it went down (DPD, keepalive or idle
timeout).
That is, in short, it wouldn't matter with ocserv whether you use DPD
or keepalive to keep the NAT up.
regards,
Nikos
More information about the openconnect-devel
mailing list