Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Dead Peer Detection Issues Urgent Help Needed

Hi,

We use Cisco ASA5540's for terminating VPNS and use a standard site to site VPN configuation for 5 VPNs. However we have been experiencing a major problem with 1 of the VPNs that terminates on a Nortel GGSN device.

After much debugging it appears to be a Dead Peer Detection issue. The debugging shows the following message twice before disconnecting the VPN:

6|Dec 11 2008|08:09:10|713124|||Group = x.x.x.x, IP = x.x.x.x, Received DPD sequence number 0x51 in R_U_THERE, Next expected sequence number should be greater than 0x51

7|Dec 11 2008|08:09:10|715075|||Group = x.x.x.x, IP = x.x.x.x, Received keep-alive of type DPD R-U-THERE (seq number 0x51)

I have read that there is no actual standard for ISAKMP keepalives / DPD and that implementation is vendor specific, so could it be an incompatability between our Cisco ASA and the Nortel equipment ?

The strange thing is, the supplier at the other end usually deploy a managed solution terminating VPNs on a Cisco 2800 or 3600 series IOS router, and they all work fine.

So is it a problem specifically to do with the ASA Operating System and Nortel ?

Any help would be greatly appreciated.

2 REPLIES
Cisco Employee

Re: Dead Peer Detection Issues Urgent Help Needed

Hello,

The log messages indicate that it already received (and in theory, replied) to DPD R__THERE numbered 0x51. As such, it's not going to respond to it again, and will drop the packet.

If the other side didn't receive the response, then eventually it will time out the VPN because it will keep transmitting the same DPD sequence number, and the ASA will keep dropping it.

I'd look for packet loss, and potentially a sniffer to make sure that the DPD ACK is indeed leaving the ASA. At that point the issue would be somewhere else.

New Member

Re: Dead Peer Detection Issues Urgent Help Needed

Thanks for your response.

If if was a result of packet loss it would be affecting other site to site VPNs that both parties have active without issue.

We got around the problem by turning off DPD.

1526
Views
0
Helpful
2
Replies
CreatePlease login to create content