On Sun, 2015-01-25 at 15:50 +0800, David Frank wrote: > Another fine-print from AnyConnect (not the iOS version, but the general FAQ): > > http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html#anc7 > > Since DPDs are enabled by default, customers might often get > disconnected due to flows closing in one direction with Network > Address Translation (NAT), Firewall and Proxy devices. Enabling > keepalives at low intervals, such as 20 seconds, helps to prevent > this. > This is weird, because ocserv doc suggests using low DPD number to > keep connection alive through NAT. While keepalive is set to a large > value. Ocserv defines session differently than cisco's servers. In ocserv the session depends on the TCP (CSTP) part of the connection. The DTLS part can re-establish/reconnect, multiple times, under the same session. If the TCP session is down for whatever reason, it has 'cookie-timeout' seconds to re-establish itself. After that it ceases to exist, irrespective of the reason it went down (DPD, keepalive or idle timeout). That is, in short, it wouldn't matter with ocserv whether you use DPD or keepalive to keep the NAT up. regards, Nikos
