DPD packets : compatible with Cisco

HA · ‎06-20-2014

Hello, I need to enable DPD between a Fortigate (running 5.x code) and Cisco ASA. When checking the counters, sending counters is increasing. Receiving counters NOT. It means that the Cisco ASA is not replying... PS: Same problem with VPN to Palo Alto devices. Only sending counters is increasing Are DPD packets compatible between Fortigate device and Cisco ASA ? Same question with PA Regards, HA

emnoc · ‎06-20-2014

Simple answer is no. cisco ASA dpd ( i.e isakmp alines ) is not compatible with fortunate. What do you have configured for the tunnel-group on the cisco ASA?

PCNSE

NSE

StrongSwan

rwpatterson · ‎06-20-2014

ORIGINAL: emnoc .... is not compatible with fortunate.

LOL! Not always so...

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

emnoc · ‎06-20-2014

fortinet

Also most android & cisco vpnclients stuff I tested for dialup don' t support DPD either. name: DialupWarrior_0 version: 1 interface: wan1 3 addr: 193.xxx.xx.xxx:4500 -> 1.2.7.98:4500 created: 15s ago peer-id: user5 assigned IP address: 192.168.91.1/255.255.255.0 ISAKMP SA: created 1/1 established 1/1 time 30/30/30 ms IPsec SA: created 1/1 established 1/1 time 10/10/10 ms id/spi: 145 0e3febbcfde35fe1/6c95a62fff29529a direction: responder status: established 15-15s ago = 30ms proposal: aes-256-sha1 lifetime/rekey: 28800/3314 DPD sent/recv: 00000003/00000000 Even tho the appliances shows the VID ( vendor ID ) and for DPD ike 0:DialupWarrior:99: responder: aggressive mode get 1st message... ike 0:DialupWarrior:99: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000 ike 0:DialupWarrior:99: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:DialupWarrior:99: VID unknown (16): 4DF37928E9FC4FD1B3262170D515C662 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-08 8F8D83826D246B6FC7A8A6A428C11DE8 ike 0:DialupWarrior:99: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-08 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-07 439B59F8BA676C4C7737AE22EAB8F582 ike 0:DialupWarrior:99: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-07 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-06 4D1E0E136DEAFA34C4F3EA9F02EC7285 ike 0:DialupWarrior:99: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-06 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-05 80D0BB3DEF54565EE84645D4C85CE3EE ike 0:DialupWarrior:99: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-05 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-04 9909B64EED937C6573DE52ACE952FA6B ike 0:DialupWarrior:99: unsupported NAT-T version draft-ietf-ipsec-nat-t-ike-04 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-02 CD60464335DF21F87CFDB2FC68B6A448 ike 0:DialupWarrior:99: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F ike 0:DialupWarrior:99: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:DialupWarrior:99: XAUTHv6 negotiated ike 0:DialupWarrior:99: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0100 ike 0:DialupWarrior:99: UNITY support enabled ike 0:DialupWarrior:99: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:DialupWarrior:99: DPD negotiated

PCNSE

NSE

StrongSwan

HA · ‎06-20-2014

Hello, DPD is configured on ASA with the following command TO_LUX(config)# tunnel-group A.B.C.D ipsec-attributes TO_LUX(config-ipsec)# isakmp keepalive threshold 30 retry 5 Reagrds, HA

emnoc · ‎06-20-2014

So if you monitor the DPD counters you will fine no exchange between fortinet and cisco ASA. Cisco Keepalives are not the same as fortinets

PCNSE

NSE

StrongSwan

DPD packets : compatible with Cisco

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website