1. Tunnels (Sessions)
There are three different tunnels (sessions) on the ASA, each one with a specific purpose:
- Clientless or Parent-Tunnel: This is the main session that is created in the negotiation in order to set up the session token that is necessary in case a reconnect is needed due to network connectivity issues or hibernation. Based on the connection mechanism, the Cisco Adaptive Security Appliance (ASA) lists the session as Clientless (Weblaunch via the Portal) or Parent (Standalone AnyConnect).
- Secure Sockets Layer (SSL)-Tunnel: The SSL connection is established first, and data is passed over this connection while it attempts to establish a DTLS connection. Once the DTLS connection is established, the client sends the packets via the DTLS connection instead of via the SSL connection. Control packets, on the other hand, always go over the SSL connection.
- DTLS-Tunnel: When the DTLS-Tunnel is fully established, all data moves to the DTLS-tunnel, and the SSL-Tunnel is only used for occasional control channel traffic. If something happens to User Datagram Protocol (UDP), the DTLS-Tunnel is torn down and all data passes through the SSL-Tunnel again.
The session is considered Inactive (and the timer begins to increase) only when the SSL-Tunnel does not exist anymore in the session
ASA5506# sh vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : user1 Index : 53
Assigned IP : 192.168.123.33 Public IP : 192.168.2.19
Protocol : AnyConnect-Parent << no SSL and DTLS info, means this is inactive tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none
Hashing : AnyConnect-Parent: (1)none
Bytes Tx : 48373 Bytes Rx : 35530
Group Policy : ISE_VPN Tunnel Group : ISE_AAA
Login Time : 14:55:17 UTC Tue Mar 16 2021
Duration : 0h:37m:06s
Inactivity : 0h:29m:58s <<increased timer, means this is inactive tunnel
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ac100101000350006050c6d5
Security Grp : none
Session Type: AnyConnect
Username : user1 Index : 53
Assigned IP : 192.168.123.33 Public IP : 192.168.2.19
Protocol : AnyConnect-Parent << no SSL and DTLS info, means this is inactive tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none
Hashing : AnyConnect-Parent: (1)none
Bytes Tx : 48373 Bytes Rx : 35530
Group Policy : ISE_VPN Tunnel Group : ISE_AAA
Login Time : 14:55:17 UTC Tue Mar 16 2021
Duration : 0h:37m:06s
Inactivity : 0h:29m:58s <<increased timer, means this is inactive tunnel
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ac100101000350006050c6d5
Security Grp : none
Username : user1 Index : 55
Assigned IP : 192.168.123.34 Public IP : 192.168.2.19
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel << this is active tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 56613 Bytes Rx : 31387
Group Policy : ISE_VPN Tunnel Group : ISE_AAA
Login Time : 15:10:16 UTC Tue Mar 16 2021
Duration : 0h:22m:07s
Inactivity : 0h:00m:00s <<No increased timer, means this is active tunnel
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ac100101000370006050ca58
Security Grp : none
Assigned IP : 192.168.123.34 Public IP : 192.168.2.19
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel << this is active tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 56613 Bytes Rx : 31387
Group Policy : ISE_VPN Tunnel Group : ISE_AAA
Login Time : 15:10:16 UTC Tue Mar 16 2021
Duration : 0h:22m:07s
Inactivity : 0h:00m:00s <<No increased timer, means this is active tunnel
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ac100101000370006050ca58
Security Grp : none
ASA5506#
ASA5506# sh vpn-sessiondb detail anyconnect
Session Type: AnyConnect Detailed
Username : user1 Index : 55
Assigned IP : 192.168.123.34 Public IP : 192.168.2.19
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 58026 Bytes Rx : 41478
Pkts Tx : 124 Pkts Rx : 316
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : ISE_VPN Tunnel Group : ISE_AAA
Login Time : 15:10:16 UTC Tue Mar 16 2021
Duration : 2h:48m:11s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : ac100101000370006050ca58
Security Grp : none
AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1
AnyConnect-Parent:
Tunnel ID : 55.1
Public IP : 192.168.2.19
Encryption : none Hashing : none
TCP Src Port : 49176 TCP Dst Port : 443
Auth Mode : userPassword <<<Authentication Method
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : win
Client OS Ver: 6.1.7601 Service Pack 1
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.05042
Bytes Tx : 10567 Bytes Rx : 216
Pkts Tx : 6 Pkts Rx : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
SSL-Tunnel:
Tunnel ID : 55.2
Assigned IP : 192.168.123.34 Public IP : 192.168.2.19
Encryption : AES-GCM-256 Hashing : SHA384
Ciphersuite : ECDHE-RSA-AES256-GCM-SHA384
Encapsulation: TLSv1.2 TCP Src Port : 49182
TCP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 0 Minutes
Client OS : Windows
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.05042
Bytes Tx : 7903 Bytes Rx : 122
Pkts Tx : 6 Pkts Rx : 2
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3
DTLS-Tunnel:
Tunnel ID : 55.3
Assigned IP : 192.168.123.34 Public IP : 192.168.2.19
Encryption : AES256 Hashing : SHA1
Ciphersuite : AES256-SHA
Encapsulation: DTLSv1.0 UDP Src Port : 58658
UDP Dst Port : 443 Auth Mode : userPassword
Idle Time Out: 30 Minutes Idle TO Left : 22 Minutes
Client OS : Windows
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 4.9.05042
Bytes Tx : 39556 Bytes Rx : 41140
Pkts Tx : 112 Pkts Rx : 314
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Filter Name : #ACSACL#-IP-PERMIT_ALL_IPV4_TRAFFIC-57f6b0d3
ASA5506#
2. When does the ASA drop the SSL-Tunnel?
2.1 DPD << this seems to be the SSL/DTLS packets between client home address and ASA public IP
anyconnect dpd-interval command under the WebVPN attributes in the group-policy settings. By default, the DPD is enabled and set to 30 seconds for both the ASA (gateway) and the client. ASA holds the Parent-Tunnel up in order to allow the user to roam networks, go to sleep, and recover the session
2.2 Idle-Timeout
in group-policy, default 30 minutes
3. Why do Keepalives need to be enabled if DPDs are already enabled?
As explained previously, the DPD does not kill the AnyConnect session itself. It merely kills the tunnel within that session so that the client can reestablish the tunnel. If the client cannot reestablish the tunnel, the session remains until the idle timer expires on the ASA. Since DPDs are enabled by default, customers might often get disconnected due to flows closing in one direction with Network Address Translation (NAT), Firewall and Proxy devices. Enabling keepalives at low intervals, such as 20 seconds, helps to prevent this.
Keepalives are enabled under the WebVPN attributes of a particular group-policy with the anyconnect ssl keepalive command. By default, the timers are set to 20 seconds.
<< Keepalive keep the tunnel up until reach idle-timeout, DPD will detect if VPN client/gateway is reachable, if not, will tear down SSL/DTLS tunnels but keep parent tunnel until idle-timeout, when peer is reachable again like wake up from sleep, client will re-connect right away without re-authentication.
https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116312-qanda-anyconnect-00.html
Comments
Post a Comment