Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

RAS Call Duration IKE Keepalives

I have been troubleshooting call durations in to our remote access environment.

The environment is as follows Client PC VPN Client SW with modem (analog or BR ISDN) dial in to AS5300 then establish encrypted session through VPN Concentrator 3030.

I have configured dialer idle-timeout to the point where the only traffic that is considered interesting is ESP traffic.

However I am still seeing intermittent traffic (encrypted) that is managing to keep the remote access session up. I have now noticed that VPN concentrator is configured to send IKE keepalives which seems to be the culprit for prolonging calls.

I'm not sure how relevant IKE Keepalives are to this type of usage and what impact disabling them will have on the environment.

Any suggestions/pointers greatly appreciated.

Thanks in advance.


Re: RAS Call Duration IKE Keepalives

I would consider it unwise to allow an established VPN to temporarily disconnect. This would give opportunity to a spoofing attack where an unauthorized attacker takes over the session. I admit, this is not as simple as it looks, but the initial negotiations is where the authentication is done.

The IKE keepalives also serve to check whether it is still the same user that's connected. I suppose that they carry some kind of unique session identifier, like SSL does. A timeout will break te connection.

So there is plenty to say for not allowing an established VPN to be disconnected by DDR.

New Member

Re: RAS Call Duration IKE Keepalives

But essentially I want them to disconnect from VPN if they are doing nothing and in turn their dial up session will drop. The user community is primarily remote mail & siebel whereby users dial in, perform a synchronize operation and then disconnect. Unfortunately a number of users do not disconnect when complete and end up incurring high call costs.

If the VPN session is temorarily disconnected the user would still require to authenticate using their RSA token to re-establish session.