ASA 5520 site-to-site VPN IKEv2 keepalive and DPD

For the past couple of weeks a newly created site-to-site VPN has been showing inconsistency. Some of the machines you can not ping through the VPN when more than half you can. I can ping from one direction yet the ping from remote end coming back is bad. There was one that I ran a continous ping and it did not succeeded until 2 minutes had passed. Another weird part is typically you can issue “clear crypto isakmp sa” to reset all VPN connection but with this particular one, the only course of action was to reboot one or both the ASA endpoint. Which you can imagine it is not a pretty fix and would be frown upon. The only thing special on this config is I am specifically using IKEv2 on both ends. I mean why not, they are both 5520 using the same latest firmware so there should be no conflict or compatibility issue.

After wresting with the debug for days, and looking at the cyphertext side from Wireshark, I finally narrow it down to one error “Need to send a DPD message to peer” in which there is zero to no information on the web. After reading a couple of sources I realize that IKEv2 has a built-in feature to detect neighbor state. DPD and keepalive are just product birthed by the shortcomings of the original IKEv1. I change my VPN config:

“tunnel-group 1.2.3.4 ipsec-attributes
isakmp keepalive threshold infinite”

“clear crypto isakmp sa” to reset the VPN
“sh crypto isakmp sa detail | in DPD” to check the changes

Some might ask if I tried “isakmp keepalive disable”. Yes, I tried the disable but the output of “sh crypto isakmp sa detail | in DPD” still shows it is on to its default threshold 10 and retry 2 even after reboot.   And even with the disable keepalive I am still getting inconsistent VPN behavior.

In summary, “isakmp keepalive threshold infinite” fixed it for me.  Cheers.

Advertisements

One response to “ASA 5520 site-to-site VPN IKEv2 keepalive and DPD

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s