dpd has no effect when using iOS anyconnect

David Frank bitinn at gmail.com
Sun Jan 25 03:56:54 PST 2015


Thx for clearing that up, do you have some suggestions on how to
monitor disconnect/reconnect on ocserv side, what loglevel would be
appropriate, what sort of keyword to identify etc.

I have already tried setting low dpd/keepalive and a longer cookie
timeout, but AnyConnect on iOS still disconnect as soon as it sleep
and always fail to auto-reconnect on wake.

Problem is their client debug logger often get stuck and stop
recording on iOS, so there could be errors not printed out by the
client.

On Sun, Jan 25, 2015 at 5:10 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> On Sun, 2015-01-25 at 15:50 +0800, David Frank wrote:
>> Another fine-print from AnyConnect (not the iOS version, but the general FAQ):
>>
>> http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html#anc7
>>
>> Since DPDs are enabled by default, customers might often get
>> disconnected due to flows closing in one direction with Network
>> Address Translation (NAT), Firewall and Proxy devices. Enabling
>> keepalives at low intervals, such as 20 seconds, helps to prevent
>> this.
>> This is weird, because ocserv doc suggests using low DPD number to
>> keep connection alive through NAT. While keepalive is set to a large
>> value.
>
> Ocserv defines session differently than cisco's servers. In ocserv the
> session depends on the TCP (CSTP) part of the connection. The DTLS part
> can re-establish/reconnect, multiple times, under the same session.
>
> If the TCP session is down for whatever reason, it has 'cookie-timeout'
> seconds to re-establish itself. After that it ceases to exist,
> irrespective of the reason it went down (DPD, keepalive or idle
> timeout).
>
> That is, in short, it wouldn't matter with ocserv whether you use DPD
> or keepalive to keep the NAT up.
>
> regards,
> Nikos
>
>



More information about the openconnect-devel mailing list