11-30-2011 07:33 AM
Good Morning,
I have several remote VPN connections via cellular wireless that need a little more stability to compensate for the cellular network drops that we encounter from time to time. One of the apps appears to be sensitive to VPN drops and I have read that this command can help with this issue. Can anyone tell me if there would be any benefit to adding the above command to the ASA?
Thanks,
11-30-2011 07:48 AM
The command allows connection state to be preserved if/when VPN L2L tunnel flaps, if we do not exceed the timout.
Reference:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1538395
If you VPN is NOT flapping and it's only packet loss you're experiencing, you should look into TCP settings.
For example, SACK option could help alleviate random packet drops. In some case also windows scaling option could help.
Marcin
11-30-2011 08:19 AM
Thanks. We are dealing with tunnel drops due to cellular drops. Do you know what the 'timeout window' addressed below is? Have you seen this option actually make a difference with VPN traffic?
Thanks,
With the persistent IPsec tunneled flows feature enabled, as long as the tunnel is recreated within the timeout window, data continues flowing successfully because the security appliance still has access to the state information in the original flow.
12-01-2011 03:39 AM
Timeout window is defined in a few places.
1) Client/Server side - socket timeout, can be influenced by TCP keepalives.
2) ASA/PIX has "timeout conn" defined as one hour by default (i.e. we will keep the connection state open for one hour in "idle" state
I have seen this making a different in some scenarios but not when heavy packet drop is experiences.
It's worth testing.
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide