DPD packets : compatible with Cisco

HA · ‎06-20-2014

Hello, I need to enable DPD between a Fortigate (running 5.x code) and Cisco ASA. When checking the counters, sending counters is increasing. Receiving counters NOT. It means that the Cisco ASA is not replying... PS: Same problem with VPN to Palo Alto devices. Only sending counters is increasing Are DPD packets compatible between Fortigate device and Cisco ASA ? Same question with PA Regards, HA

emnoc · ‎06-20-2014

Simple answer is no. cisco ASA dpd ( i.e isakmp alines ) is not compatible with fortunate. What do you have configured for the tunnel-group on the cisco ASA?

PCNSE

NSE

StrongSwan

rwpatterson · ‎06-20-2014

ORIGINAL: emnoc .... is not compatible with fortunate.

LOL! Not always so...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

emnoc · ‎06-20-2014

fortinet

Also most android & cisco vpnclients stuff I tested for dialup don' t support DPD either. name: DialupWarrior_0 version: 1 interface: wan1 3 addr: 193.xxx.xx.xxx:4500 -> 1.2.7.98:4500 created: 15s ago peer-id: user5 assigned IP address: 192.168.91.1/255.255.255.0 ISAKMP SA: created 1/1 established 1/1 time 30/30/30 ms IPsec SA: created 1/1 established 1/1 time 10/10/10 ms id/spi: 145 0e3febbcfde35fe1/6c95a62fff29529a direction: responder status: established 15-15s ago = 30ms proposal: aes-256-sha1 lifetime/rekey: 28800/3314 DPD sent/recv: 00000003/00000000 Even tho the appliances shows the VID ( vendor ID ) and for DPD ike 0:DialupWarrior:99: responder: aggressive mode get 1st message... ike 0:DialupWarrior:99: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000 ike 0:DialupWarrior:99: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:DialupWarrior:99: VID unknown (16): 4DF37928E9FC4FD1B3262170D515C662 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8 ike 0:DialupWarrior:99: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-08 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582 ike 0:DialupWarrior:99: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285 ike 0:DialupWarrior:99: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-06 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE ike 0:DialupWarrior:99: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-05 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B ike 0:DialupWarrior:99: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-04 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F ike 0:DialupWarrior:99: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:DialupWarrior:99: XAUTHv6 negotiated ike 0:DialupWarrior:99: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100 ike 0:DialupWarrior:99: UNITY support enabled ike 0:DialupWarrior:99: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:DialupWarrior:99: DPD negotiated

PCNSE

NSE

StrongSwan

HA · ‎06-20-2014

Hello, DPD is configured on ASA with the following command TO_LUX(config)# tunnel-group A.B.C.D ipsec-attributes TO_LUX(config-ipsec)# isakmp keepalive threshold 30 retry 5 Reagrds, HA

emnoc · ‎06-20-2014

So if you monitor the DPD counters you will fine no exchange between fortinet and cisco ASA. Cisco Keepalives are not the same as fortinets

PCNSE

NSE

StrongSwan