Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer
 Support Center > Search Results > SecureKnowledge Details
Support Center
 Print    Email
Dead Peer Detection issues in IP VPN gateway

Solution ID: sk40534
Product: IP VPN Appliances
Version: All
Date Created: 23-Dec-2013
Last Modified: 23-Dec-2013
Rate this document
[1=Worst,5=Best]
Symptoms
  • When the Dead Peer Detection option is enabled in Nokia IP VPN gateway, the connections from Nokia Mobile VPN Clients will be prematurely disconnected when the client is in the idle state and there's no application traffic sent in several minutes. The IKE and IPSec SA sessions are disconnected even though there's still a lot of the session lifetime left. E.g. when the IKE lifetime is 8h and IPSec lifetime 1h, the SA sessions may be disconnected already after around 10-15 minutes.


    The IP VPN gateway shows in some cases the following error message on the console:


    (IKE)-ERR: oakley_respond_dpd: Out of order their DPD sequence 11d12e6a (expecting 11d12e6b)


    The Mobile VPN Client users need to do extra reauthentications in this situation to re-establish the IKE and IPSec sessions. The premature disconnection will cause issues also for the applications that are waiting for incoming connections in the mobile device (e.g. VoIP SIP Client) because the application connections cannot be established from the gateway side.

Solution

This is an issue in Nokia IP VPN gateway versions v6.3-110 and earlier. The Dead Peer Detection (DPD) feature doesn't function properly with Nokia Mobile VPN Clients and 3rd party VPN gateways.

 

When the feature is enabled, the two sides will send DPD packets to determine that both ends are still active. The DPD packets sent by the IP VPN gateway don't, however, fully conform to the specifications defined in the Dead Peer Detection RFC3706 and are not accepted by the Mobile VPN Client. After a while, if there's no application traffic in several minutes, the Mobile VPN Client will tear down the IKE and IPSec SA tunnels because the client hasn't received any valid DPD packets from the gateway side.

 

To avoid the problem, the Dead Peer Detection feature should be disabled in Nokia IP VPN gateway when the Nokia Mobile VPN Clients and 3rd party VPN gateways connect to the IP VPN gateway. By default, the feature is enabled. The Dead Peer Detection feature can be disabled via the VPN Manager in the following way:

 


  • Go to VPN Global Properties / Policy menu
  • Disable the option "Enable Dead Peer Detection"
  • Apply the changes to the gateway

Imported from Nokia support database
Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)
Characters left: 2000