dpd has no effect when using iOS anyconnect
Kevin Cernekee
cernekee at gmail.com
Fri Jan 23 06:55:07 PST 2015
On Fri, Jan 23, 2015 at 5:19 AM, David Frank <bitinn at gmail.com> wrote:
> I recently read this fine-print on Cisco’s document for anyconnect:
>
> http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/user/guide/iphone-ugac-ios.html#pgfId-205596
>
>
> Known Issues in Apple iOS Impacting VPN:
>
> - A DTLS packet received while the device is asleep does not awaken it. TLS packets, however, awaken the device if notifications or Facetime is enabled. AnyConnect automatically disconnects the DTLS tunnel when the device goes to sleep to allow packets received over the TLS connection to wake the device. The DTLS tunnel is restored when the device resumes.
>
>
> So Anyconnect closes UDP session when iOS sleeps (lockscreen), it means dpd is not usable, correct?
There are a few different issues to consider:
1) Can your client reply to gateway-initiated DPD messages? AFAICT,
it can still receive DPD messages over CSTP according to this note.
2) Can your client initiate its own CSTP DPD messages while the iOS
device is sleeping (and are these necessary for ocserv to keep the
connection up)? Not sure on this one. The other thing to consider is
whether the client side can wake up and reconnect if the mostly-idle
CSTP connection drops while sleeping. On Android I had to add a fair
amount of logic to ensure that the client woke up and "phoned home" on
a regular basis to avoid an idle timeout on the VPN session.
3) Is the CSTP connection really staying up while the device is
sleeping? The last time I played with iOS (v5.x on an old 3GS) I
looked at packet traces and saw it terminating the CSTP connection
immediately when it went to sleep. Maybe this behavior changed, or
maybe my experiment was flawed.
More information about the openconnect-devel
mailing list