dpd has no effect when using iOS anyconnect

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, 2015-01-25 at 15:50 +0800, David Frank wrote:
> Another fine-print from AnyConnect (not the iOS version, but the general FAQ):
> 
> http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html#anc7
> 
> Since DPDs are enabled by default, customers might often get
> disconnected due to flows closing in one direction with Network
> Address Translation (NAT), Firewall and Proxy devices. Enabling
> keepalives at low intervals, such as 20 seconds, helps to prevent
> this.
> This is weird, because ocserv doc suggests using low DPD number to
> keep connection alive through NAT. While keepalive is set to a large
> value.

Ocserv defines session differently than cisco's servers. In ocserv the
session depends on the TCP (CSTP) part of the connection. The DTLS part
can re-establish/reconnect, multiple times, under the same session.

If the TCP session is down for whatever reason, it has 'cookie-timeout'
seconds to re-establish itself. After that it ceases to exist,
irrespective of the reason it went down (DPD, keepalive or idle
timeout).

That is, in short, it wouldn't matter with ocserv whether you use DPD
or keepalive to keep the NAT up.

regards,
Nikos





[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux