dpd has no effect when using iOS anyconnect

Sat Jan 24 23:50:08 PST 2015

Another fine-print from AnyConnect (not the iOS version, but the general FAQ):

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html#anc7

Since DPDs are enabled by default, customers might often get
disconnected due to flows closing in one direction with Network
Address Translation (NAT), Firewall and Proxy devices. Enabling
keepalives at low intervals, such as 20 seconds, helps to prevent
this.

This is weird, because ocserv doc suggests using low DPD number to
keep connection alive through NAT. While keepalive is set to a large
value.

http://www.infradead.org/ocserv/manual.html

Maybe the terms (connection, session, tunnel) are used loosely, but I
hope someone can help to explain.

PS: I should really use the same name for my emails, sorry for any confusion...

On Sun, Jan 25, 2015 at 3:25 PM, BitInn Admin <bitinn at gmail.com> wrote:
> Took me a while to figure out CSTP means SSL/TLS Tunnel (over TCP).
> But thanks to your reply I now have some pointers on how I might be
> able to improve connectivity on wake.
>
>
>
> To answer your questions:
>
> 1. I don't see server-initiated DPD in client-side debug log, only
> client-initiated DPD for detecting MTU, possibly because my ocserv
> mobile DPD setting is the default 1800 (30 minutes), while my test
> only lasts for 20 minutes or so.
>
> 2. Only via iOS background activity[0], I can see some DPD timeout
> after manual lock (sleep), see next answer for details. For the 2nd
> part of your question: as noted in cisco and apple doc, iOS does wake
> from TCP connection, otherwise push notification or facetime call
> won't work[1].
>
> 3. This is the part I am not sure. AnyConnectDataAgent manages both
> SSL and DTLS connections, I don't see it complain about connection
> timeout/drop, except for `Failed to validate the tunnel MTU via DPD
> handshake (DTLS/CDTP)`, and this is the last log entry:
> `CTunnelProtocolDpdMgr::handleExpiredMtuDPD Return Code: -25952247
> (0xFE740009) Description: TUNNELPROTOCOLDPDMGR_ERROR_UNEXPECTED
> DTLS/CDTP`[2].
>
>
> To investigate further:
>
> 1. I will try to lower the mobile DPD settings in ocserv to force DPD to happen.
>
> 2. I might need to collect appropriate server log, but I am not sure
> about what log level is appropriate for this sort of debug.
>
>
>
>
> [0] apple are pretty strict about this sort of background tasks, but
> cisco has special NDA deal with apple to add extra vpn feature to ios,
> so who knows: https://developer.apple.com/library/ios/documentation/iPhone/Conceptual/iPhoneOSProgrammingGuide/BackgroundExecution/BackgroundExecution.html
>
> [1] I do have facetime enabled, but AnyConnect on iOS only have
> background activity options (which must be enabled for this vpn app to
> work), no push notification settings.
>
> [2] The strange part being that, I let my device sleep for 15 minutes
> and that last log appear in the first minute, it would appear
> AnyConnect didn't do anything for the next 14 minutes, albeit with
> background activity enabled.
>
>
>
> On Fri, Jan 23, 2015 at 10:55 PM, Kevin Cernekee <cernekee at gmail.com> wrote:
>> On Fri, Jan 23, 2015 at 5:19 AM, David Frank <bitinn at gmail.com> wrote:
>>> I recently read this fine-print on Cisco’s document for anyconnect:
>>>
>>> http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/user/guide/iphone-ugac-ios.html#pgfId-205596
>>>
>>>
>>> Known Issues in Apple iOS Impacting VPN:
>>>
>>> - A DTLS packet received while the device is asleep does not awaken it. TLS packets, however, awaken the device if notifications or Facetime is enabled. AnyConnect automatically disconnects the DTLS tunnel when the device goes to sleep to allow packets received over the TLS connection to wake the device. The DTLS tunnel is restored when the device resumes.
>>>
>>>
>>> So Anyconnect closes UDP session when iOS sleeps (lockscreen), it means dpd is not usable, correct?
>>
>> There are a few different issues to consider:
>>
>> 1) Can your client reply to gateway-initiated DPD messages?  AFAICT,
>> it can still receive DPD messages over CSTP according to this note.
>>
>> 2) Can your client initiate its own CSTP DPD messages while the iOS
>> device is sleeping (and are these necessary for ocserv to keep the
>> connection up)?  Not sure on this one.  The other thing to consider is
>> whether the client side can wake up and reconnect if the mostly-idle
>> CSTP connection drops while sleeping.  On Android I had to add a fair
>> amount of logic to ensure that the client woke up and "phoned home" on
>> a regular basis to avoid an idle timeout on the VPN session.
>>
>> 3) Is the CSTP connection really staying up while the device is
>> sleeping?  The last time I played with iOS (v5.x on an old 3GS) I
>> looked at packet traces and saw it terminating the CSTP connection
>> immediately when it went to sleep.  Maybe this behavior changed, or
>> maybe my experiment was flawed.