Thx for clearing that up, do you have some suggestions on how to monitor disconnect/reconnect on ocserv side, what loglevel would be appropriate, what sort of keyword to identify etc. I have already tried setting low dpd/keepalive and a longer cookie timeout, but AnyConnect on iOS still disconnect as soon as it sleep and always fail to auto-reconnect on wake. Problem is their client debug logger often get stuck and stop recording on iOS, so there could be errors not printed out by the client. On Sun, Jan 25, 2015 at 5:10 PM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > On Sun, 2015-01-25 at 15:50 +0800, David Frank wrote: >> Another fine-print from AnyConnect (not the iOS version, but the general FAQ): >> >> http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html#anc7 >> >> Since DPDs are enabled by default, customers might often get >> disconnected due to flows closing in one direction with Network >> Address Translation (NAT), Firewall and Proxy devices. Enabling >> keepalives at low intervals, such as 20 seconds, helps to prevent >> this. >> This is weird, because ocserv doc suggests using low DPD number to >> keep connection alive through NAT. While keepalive is set to a large >> value. > > Ocserv defines session differently than cisco's servers. In ocserv the > session depends on the TCP (CSTP) part of the connection. The DTLS part > can re-establish/reconnect, multiple times, under the same session. > > If the TCP session is down for whatever reason, it has 'cookie-timeout' > seconds to re-establish itself. After that it ceases to exist, > irrespective of the reason it went down (DPD, keepalive or idle > timeout). > > That is, in short, it wouldn't matter with ocserv whether you use DPD > or keepalive to keep the NAT up. > > regards, > Nikos > >
