IKE keepalive - DPD

-

IKEv1


Dead Peer Detection (DPD) is a method that allows detection of unreachable Internet Key Exchange (IKE) peers.
RFC describes DPD negotiation procedure and two new ISAKMP NOTIFY messages. Specifically, DPD is negotiated via an exchange of the DPD ISAKMP Vendor ID payload, which is sent in the ISAKMP MM messages 3 and 4 or ISAKMP AM messages 1 and 2. DPD Requests are sent as ISAKMP R-U-THERE messages and DPD Responses are sent as ISAKMP R-U-THERE-ACK messages.

ASA support "semi-periodic" DPD only. I.e. they send R-U-THERE message to a peer if the peer was idle for  seconds. ASA may have nothing to send to the peer, but DPD is still sent if the peer is idle. If the VPN session is comletely idle the R-U-THERE messages are sent every  seconds. If there is a traffic coming from the peer the R-U-THERE messages are not sent.
If the peer doesn't respond with the R-U-THERE-ACK the ASA starts retransmitting R-U-THERE messages every seconds with a maximum of three retransmissions. After that the peer is declared dead.

Config:
Default is enabled
ASAv1# sh run all tunnel-group 203.0.113.2
tunnel-group 203.0.113.2 type ipsec-l2l
tunnel-group 203.0.113.2 general-attributes
 default-group-policy DfltGrpPolicy
tunnel-group 203.0.113.2 ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate req
 no chain
 no ikev1 trust-point
 isakmp keepalive threshold 10 retry 2
 no ikev2 remote-authentication
 no ikev2 local-authentication


Debug:
Jan 28 19:52:20 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, Received keep-alive of type DPD R-U-THERE (seq number 0x2227aa60)
Jan 28 19:52:20 [IKEv1 DEBUG]Group = 203.0.113.1, IP = 203.0.113.1, Sending keep-alive of type DPD R-U-THERE-ACK (seq number 0x2227aa60)

















IKEv2

On Cisco VPN router, DPD is configured globally or in IKEv2 Profile

global default: 
crypto ikev2 dpd 0 0 periodic

in IKEv2 Profile
crypto ikev2 profile IKEV2-PROFILE
 match identity remote address 203.0.113.3 255.255.255.255
  authentication remote pre-share
 authentication local pre-share
 keyring local MYKEYS
 dpd 10 3 periodic


R3#sh crypto ikev2 sa detail
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         203.0.113.1/4500      203.0.113.3/4500      none/none            READY
      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/79 sec
      CE id: 1017, Session-id: 58
      Status Description: Negotiation done
      Local spi: FA78392E99D34D5E       Remote spi: D2BFFC45C7C0099E
      Local id: 203.0.113.1
      Remote id: 192.168.1.10
      Local req msg id:  9              Remote req msg id:  0
      Local next msg id: 9              Remote next msg id: 0
      Local req queued:  9              Remote req queued:  0
      Local window:      5              Remote window:      5
      DPD configured for 10 seconds, retry 3
      Fragmentation not configured.
      Extended Authentication not configured.
      NAT-T is detected  outside
      Cisco Trust Security SGT is disabled
      Initiator of SA : Yes

 IPv6 Crypto IKEv2  SA

In this test (one VPN router behind NAT device ), it is sending in UDP/4500

Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more