As noted in the
previous
post, Azure’s “dynamic routing” option really refers to the dynamic
establishment of VPN, not routing itself. There is a drawback with this option,
a VPN tunnel will go down after a period of non-usage. It re-establishes
automatically when new traffic passes through, but often with the consequence
of dropping initial traffic (due to time needed to re-establish tunnel).
The
disruption is due to the expiry of Security Association. A security association
expires after the first of these lifetimes is reached: a "timed"
lifetime and a "traffic-volume" lifetime. The default lifetimes are
3600 seconds (one hour) and 4,608,000 kilobytes (10 megabits per second for one
hour per second for one hour).
Normally,
when there is active traffic, a new security association is negotiated before
the lifetime threshold of the existing security association is reached, to
ensure that a new security association is ready for use when the old one
expires.
If no traffic
has passed through the tunnel during the entire life of the security
association, a new security association is not negotiated when the lifetime
expires. Instead, a new security association will be negotiated only when IPsec
sees another packet that should be protected.
Therefore,
for Azure “dynamic routing” VPN tunnel with sparse traffic, SA may expire after
an hour, causing some traffic drop, which may impact user experience.
An obvious
method to correct this issue is to set SA lifetime to higher values. For
example, in Cisco IOS:
crypto ikev2 profile profile_xxxset security-association lifetime kilobytes 4294967295set security-association lifetime seconds 86400
Extending
the SA lifetime works, but there is a better method, which is using IKEv2’s support
for Dead Peer Detection (DPD). DPD is also configured under profile, for
example, the following wil send DPD keepalive every 5 minute, if there is no
incoming traffic, thus keeping tunnels up.
crypto ikev2 profile profile_xxx…dpd 500 100 on-demand
Please reference your specific vendor
documentation such as this Cisco
guide for more information on DPD.
No comments:
Post a Comment