sysopt connection preserve-vpn-flows question

wpalumbo06 · ‎11-30-2011

Good Morning,

I have several remote VPN connections via cellular wireless that need a little more stability to compensate for the cellular network drops that we encounter from time to time. One of the apps appears to be sensitive to VPN drops and I have read that this command can help with this issue. Can anyone tell me if there would be any benefit to adding the above command to the ASA?

Thanks,

Marcin Latosiewicz · ‎11-30-2011

The command allows connection state to be preserved if/when VPN L2L tunnel flaps, if we do not exceed the timout.

Reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1538395

If you VPN is NOT flapping and it's only packet loss you're experiencing, you should look into TCP settings.

For example, SACK option could help alleviate random packet drops. In some case also windows scaling option could help.

Marcin

wpalumbo06 · ‎11-30-2011

Thanks. We are dealing with tunnel drops due to cellular drops. Do you know what the 'timeout window' addressed below is? Have you seen this option actually make a difference with VPN traffic?

Thanks,

With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout window, data continues flowing successfully because the security appliance still has access to the state information in the original flow.

Marcin Latosiewicz · ‎12-01-2011

Timeout window is defined in a few places.

1) Client/Server side - socket timeout, can be influenced by TCP keepalives.

2) ASA/PIX has "timeout conn" defined as one hour by default (i.e. we will keep the connection state open for one hour in "idle" state

I have seen this making a different in some scenarios but not when heavy packet drop is experiences.

It's worth testing.

M.