dpd has no effect when using iOS anyconnect
David Frank
bitinn at gmail.com
Sun Jan 25 04:09:29 PST 2015
should mention I am on ocserv 0.9.0.1; hopefully I am not trigger any
edge case of a 0.8.9 fix, ie.
`When a client's IP is re-used by the same client connecting with the
cookie (e.g., when roaming), call the disconnect script.`
http://git.infradead.org/ocserv.git/blob/HEAD:/NEWS
On Sun, Jan 25, 2015 at 7:56 PM, David Frank <bitinn at gmail.com> wrote:
> Thx for clearing that up, do you have some suggestions on how to
> monitor disconnect/reconnect on ocserv side, what loglevel would be
> appropriate, what sort of keyword to identify etc.
>
> I have already tried setting low dpd/keepalive and a longer cookie
> timeout, but AnyConnect on iOS still disconnect as soon as it sleep
> and always fail to auto-reconnect on wake.
>
> Problem is their client debug logger often get stuck and stop
> recording on iOS, so there could be errors not printed out by the
> client.
>
> On Sun, Jan 25, 2015 at 5:10 PM, Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
>> On Sun, 2015-01-25 at 15:50 +0800, David Frank wrote:
>>> Another fine-print from AnyConnect (not the iOS version, but the general FAQ):
>>>
>>> http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html#anc7
>>>
>>> Since DPDs are enabled by default, customers might often get
>>> disconnected due to flows closing in one direction with Network
>>> Address Translation (NAT), Firewall and Proxy devices. Enabling
>>> keepalives at low intervals, such as 20 seconds, helps to prevent
>>> this.
>>> This is weird, because ocserv doc suggests using low DPD number to
>>> keep connection alive through NAT. While keepalive is set to a large
>>> value.
>>
>> Ocserv defines session differently than cisco's servers. In ocserv the
>> session depends on the TCP (CSTP) part of the connection. The DTLS part
>> can re-establish/reconnect, multiple times, under the same session.
>>
>> If the TCP session is down for whatever reason, it has 'cookie-timeout'
>> seconds to re-establish itself. After that it ceases to exist,
>> irrespective of the reason it went down (DPD, keepalive or idle
>> timeout).
>>
>> That is, in short, it wouldn't matter with ocserv whether you use DPD
>> or keepalive to keep the NAT up.
>>
>> regards,
>> Nikos
>>
>>
More information about the openconnect-devel
mailing list