Ensuring Reliable Dtls Connections Through Third-Party Firewalls; Prompting Remote Users - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Prompting Remote Users
Ensuring Reliable DTLS Connections Through Third-Party Firewalls
When a third-party network firewall is located between the client PC and the security appliance, it
inspects each DTLS packet and makes a decision whether to pass the packet along to the destination. If
there has been an idle period of DTLS traffic, the firewall might stop sending data to the client or security
appliance.
A customer has observed that the default behavior of a third party firewall in their network results in the
DTLS (UDP) traffic being dropped after an idle period of 40 seconds. This occurs when the DTLS
keepalive is not configured, or is configured with a value that is greater than the timeout interval of the
third party firewall.
By default, the DTLS keepalive is disabled.
When DTLS traffic is stopped by the firewall, applications such as Microsoft Outlook stop responding
while the DTLS tunnel remains active. The time of inactivity is directly related to the interval set for
client DTLS DPD. By default, DPD is set to an optimal value of 30 seconds which should work in most
cases.
If the client DTLS DPD is too high, failover does not occur quickly enough, and a user notices
applications being unresponsive. Once the client DTLS DPD is set correctly, the customer then notices
excessive loss and re-establishment of the DTLS channel. This might also be perceived as poor
performance of the tunnel.
To correct this problem, do the following steps:
Enable the client DTLS DPD and configure it to be twice the interval of the firewall idle timer.
Step 1
For example, set this value to 2 minutes when using the default setting with the third party firewall (40
seconds). The client DTLS DPD value should be no greater than 10 minutes to ensure TLS fallback
occurs in a timely manner. Use the svc dpd-interval command from group policy or username webvpn
mode:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# svc dpd-interval client 120
Step 2 Enable the client DTLS keepalive and configure it to be at least 10 seconds less than the firewall
Step 2
idle timer interval.
For example, set this value to 30 seconds if using the default configuration (40 seconds) of the third party
firewall. Use the svc keepalive command from group policy webvpn or username webvpn configuration
modes:
hostname(config)# group-policy sales attributes
hostname(config-group-policy)# webvpn
hostname(config-group-webvpn)# svc keepalive 30
Prompting Remote Users
You can enable the security appliance to prompt remote SSL VPN client users to download the client
with the svc ask command from group policy webvpn or username webvpn configuration modes:
svc ask enable prompts the remote user to download the client or go to the WebVPN portal page and
waits indefinitely for user response.
Cisco Security Appliance Command Line Configuration Guide
38-6
[no] svc ask {none | enable [default {webvpn | svc} timeout value]}
Chapter 38
Configuring AnyConnect VPN Client Connections
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
