Dead Peer Detection Issues Urgent Help Needed

Unanswered Question
Dec 11th, 2008

Hi,

We use Cisco ASA5540's for terminating VPNS and use a standard site to site VPN configuation for 5 VPNs. However we have been experiencing a major problem with 1 of the VPNs that terminates on a Nortel GGSN device.

After much debugging it appears to be a Dead Peer Detection issue. The debugging shows the following message twice before disconnecting the VPN:

6|Dec 11 2008|08:09:10|713124|||Group = x.x.x.x, IP = x.x.x.x, Received DPD sequence number 0x51 in R_U_THERE, Next expected sequence number should be greater than 0x51

7|Dec 11 2008|08:09:10|715075|||Group = x.x.x.x, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0x51)

I have read that there is no actual standard for ISAKMP keepalives / DPD and that implementation is vendor specific, so could it be an incompatability between our Cisco ASA and the Nortel equipment ?

The strange thing is, the supplier at the other end usually deploy a managed solution terminating VPNs on a Cisco 2800 or 3600 series IOS router, and they all work fine.

So is it a problem specifically to do with the ASA Operating System and Nortel ?

Any help would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jason Gervia Fri, 12/12/2008 - 09:37

Hello,

The log messages indicate that it already received (and in theory, replied) to DPD R__THERE numbered 0x51. As such, it's not going to respond to it again, and will drop the packet.

If the other side didn't receive the response, then eventually it will time out the VPN because it will keep transmitting the same DPD sequence number, and the ASA will keep dropping it.

I'd look for packet loss, and potentially a sniffer to make sure that the DPD ACK is indeed leaving the ASA. At that point the issue would be somewhere else.

cbeswick Thu, 12/18/2008 - 02:53

Thanks for your response.

If if was a result of packet loss it would be affecting other site to site VPNs that both parties have active without issue.

We got around the problem by turning off DPD.

Actions

This Discussion