Isakmp keepalive and IPad and your ISP

Posted on December 7, 2010

0



Have you already experienced that the VPN session times out without after some minutes on your IPad. No matter if the keepalive setting is reached or not, it will disconnect after some minutes.
There is a document for IPads what the support regarding the IPSEC. Here ist the link: manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf (Page 68 – Certificate section.)
I checked the firewall to see what happens in the background. Raised the logging to the highest level and waited some minutes.

(config)# logging on
(config)# logging monitor debugging
(config)# terminal monitor

I saw in the logs the following.
3.3.3.3 is the IP of the client, the username is MyTestUser.
66.66.66.66 is the IP of the gateway.
44.44.44.44 is the DHCP server on the inside interface.

My VPN tunnel is up and running at:

Dec 10 2010 15:07:53: %ASA-5-713120: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, PHASE 2 COMPLETED (msgid=ab7cbec6)

Trial 1.

After 5 minutes accurately comes something in the logs:

Dec 10 2010 15:12:55: %ASA-7-715036: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, Sending keep-alive of type DPD R-U-THERE (seq number 0xd207c31)
Dec 10 2010 15:12:55: %ASA-7-715046: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, constructing blank hash payload
Dec 10 2010 15:12:55: %ASA-7-715046: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, constructing qm hash payload
Dec 10 2010 15:12:55: %ASA-7-713236: IP = 3.3.3.3, IKE_DECODE SENDING Message (msgid=2bf0bacc) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84
.
Dec 10 2010 15:12:55: %ASA-6-302015: Built outbound UDP connection 200430 for outside:3.3.3.3/16644 (3.3.3.3/16644) to identity:66.66.66.66/500 (66.66.66.66/500)

Trial 2.

And this will be repeated after 2 seconds, (3 times all together)

Dec 10 2010 15:12:57: %ASA-7-715036: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, Sending keep-alive of type DPD R-U-THERE (seq number 0xd207c32)
Dec 10 2010 15:12:57: %ASA-7-715046: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, constructing blank hash payload
Dec 10 2010 15:12:57: %ASA-7-715046: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, constructing qm hash payload
Dec 10 2010 15:12:57: %ASA-7-713236: IP = 3.3.3.3, IKE_DECODE SENDING Message (msgid=842eb0e2) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

Trial 3.

Dec 10 2010 15:12:59: %ASA-7-715036: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, Sending keep-alive of type DPD R-U-THERE (seq number 0xd207c33)
Dec 10 2010 15:12:59: %ASA-7-715046: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, constructing blank hash payload
Dec 10 2010 15:12:59: %ASA-7-715046: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, constructing qm hash payload
Dec 10 2010 15:12:59: %ASA-7-713236: IP = 3.3.3.3, IKE_DECODE SENDING Message (msgid=91c827cd) with payloads : HDR + HASH (8) + NOTIFY (11) + NONE (0) total length : 84

There comes nothing back -> VPN Session wil be deleted:

Dec 10 2010 15:13:01: %ASA-3-713123: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, IKE lost contact with remote peer, deleting connection (keepalive type: DPD)
Dec 10 2010 15:13:01: %ASA-7-713906: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, IKE SA MM:37c8affd rcv’d Terminate: state MM_ACTIVE flags 0x0861d042, refcnt 1, tuncnt 1

And disconnect the user, delete the vpn:

Dec 10 2010 15:13:01: %ASA-7-720041: (VPN-Primary) Sending Phase 1 Terminate message (type RA, remote addr 3.3.3.3, my cookie 37C8AFFD, his cookie 3F7295D2) to standby unit
Dec 10 2010 15:13:01: %ASA-7-713906: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, sending delete/delete with reason message
Dec 10 2010 15:13:01: %ASA-7-715046: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, constructing blank hash payload
Dec 10 2010 15:13:01: %ASA-7-715046: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, constructing IPSec delete payload
Dec 10 2010 15:13:01: %ASA-7-715046: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, constructing qm hash payload
Dec 10 2010 15:13:01: %ASA-7-713236: IP = 3.3.3.3, IKE_DECODE SENDING Message (msgid=9f1a0cdc) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 68
.
Dec 10 2010 15:13:01: %ASA-7-720041: (VPN-Primary) Sending Phase2 Terminate message (my cookie 37C8AFFD, his cookie 3F7295D2, old msg id 00000000, msg id AB7CBEC6) to standby unit
Dec 10 2010 15:13:01: %ASA-7-713906: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, Active unit receives a delete event for remote peer 3.3.3.3.
Dec 10 2010 15:13:01: %ASA-7-715009: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, IKE Deleting SA: Remote Proxy 44.44.44.44, Local Proxy 0.0.0.0
Dec 10 2010 15:13:01: %ASA-7-713906: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, IKE SA MM:37c8affd terminating: flags 0x0961d002, refcnt 0, tuncnt 0
Dec 10 2010 15:13:01: %ASA-7-713906: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, sending delete/delete with reason message
Dec 10 2010 15:13:01: %ASA-6-602304: IPSEC: An inbound remote access SA (SPI= 0xFC0453A5) between 66.66.66.66 and 3.3.3.3 (user= MyTestUser) has been deleted.
Dec 10 2010 15:13:01: %ASA-6-602304: IPSEC: An outbound remote access SA (SPI= 0x05BDE42F) between 66.66.66.66 and 3.3.3.3 (user= MyTestUser) has been deleted.
Dec 10 2010 15:13:01: %ASA-7-715046: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, constructing blank hash payload
Dec 10 2010 15:13:01: %ASA-7-715046: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, constructing IKE delete payload
Dec 10 2010 15:13:01: %ASA-7-715046: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, constructing qm hash payload
Dec 10 2010 15:13:01: %ASA-7-713236: IP = 3.3.3.3, IKE_DECODE SENDING Message (msgid=f1ed0e87) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80
.
Dec 10 2010 15:13:01: %ASA-7-715077: Pitcher: received key delete msg, spi 0xfc0453a5
Dec 10 2010 15:13:01: %ASA-7-715077: Pitcher: received key delete msg, spi 0xfc0453a5
Dec 10 2010 15:13:01: %ASA-7-715077: Pitcher: received key delete msg, spi 0x5bde42f
.
Dec 10 2010 15:13:01: %ASA-5-713259: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, Session is being torn down. Reason: Lost Service
Dec 10 2010 15:13:01: %ASA-7-715040: Deleting active auth handle during SA deletion: handle = 464
Dec 10 2010 15:13:01: %ASA-4-113019: Group = MyRAGroup, Username = MyTestUser, IP = 3.3.3.3, Session disconnected. Session Type: IPsec, Duration: 0h:05m:11s, Bytes xmt: 0, Bytes rcv: 0, Reason: Lost Service
Dec 10 2010 15:13:01: %ASA-7-713906: Ignoring msg to mark SA with dsID 27009024 dead because SA deleted
Dec 10 2010 15:13:01: %ASA-6-737015: IPAA: Freeing DHCP address 44.44.44.44
Dec 10 2010 15:13:01: %ASA-7-720041: (VPN-Primary) Sending Delete DHCP Lease message (dhcp handle 0xee98347) to standby unit

Dec 10 2010 15:15:01: %ASA-6-302016: Teardown UDP connection 200430 for outside:3.3.3.3/16644 to identity:66.66.66.66/500 duration 0:02:06 bytes 404

There is a problem with DPD and IPad, as IPad somehow does not reply… And that may be normal as a mobile ISP does not allow to access a device in mobile network from the Internet. This DPD session was initiated from the ASA and it cannot reach the IPad because of the ISP – I guess.
This is the settings that is here affected:

tunnel-group MyTunnelGroup ipsec-attributes
isakmp keepalive threshold 300 retry 2

A) This is the maximum that we can set (1 hour):

tunnel-group MyTunnelGroup ipsec-attributes
isakmp keepalive threshold 3600 retry 10

B) or deaktivate keepalive:

tunnel-group MyTunnelGroup ipsec-attributes
isakmp keepalive disable

C) or specify that the central site (“head end”) should never initiate ISAKMP monitoring:

I would choose this one as a mobile device will never be reachable.

tunnel-group MyTunnelGroup ipsec-attributes
isakmp keepalive threshold infinite
Advertisements
Posted in: ASA, Cisco, Security, VPN