DPD Solution with Cisco ASA Part1: Preface DPD (Dead Peer Detection), which is defined by RFC3706, is used to detect the state of the security tunnel peer. When the responder does not receive the peer's packets for a long period, it can enable DPD and initiate a DPD request to the peer so that it can detect if the ISAKMP gateway exists. In most scenarios, there will be IPsec interconnection between Cisco ASA device and Hillstone, but we may encounter DPD negotiation failure. This document demonstrates some basic DPD tests between Cisco ASA and Hillstone, and provides the possible solution to let DPD work between Cisco ASA and Hillstone StoneOS. The following tests are based on ASA 9.8 and Hillstone StoneOS 5.5R6P1.

Part2: Cisco ASA DPD Description We can get Cisco ASA 9.8 configuration by the following guide. https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config.html Cisco ASA DPD feature is named ISAKMP keepalive, we can see the following info on Page 96 of the above Cisco official document. Based on its explanation, Cisco ISAKMP keepalive is a private feature, which works only with the 3 kinds of Cisco device, Non-cisco devices are not supported. Page 96: ISAKMP (IKE) keepalive settings. This feature lets the ASA monitor the continued presence of a remote peer and report its own presence to that peer. If the peer becomes unresponsive, the ASA removes the connection. Enabling IKE keepalives prevents hung connections when the IKE peer loses connectivity. There are various forms of IKE keepalives. For this feature to work, both the ASA and its remote peer must support a common form. This feature works with the following peers: • Cisco AnyConnect VPN Client • Cisco IOS software • Cisco Secure PIX Firewall Non-Cisco VPN clients do not support IKE keepalives.

Part3: Hillstone DPD Mechanism The following capturing is related with DPD negotiation in main mode and aggressive mode while both peers are Hillstone. Hillstone follows standard RFC and negotiates DPD capacity in first ISAKMP packet and second ISAKMP packet in both main mode and aggressive mode. Main mode:

Aggressive mode:

Part4: DPD Interconnection between Hillstone and Cisco ASA Topology:

Cisco Configuration: tunnel-group 202.100.1.200 general-attributes default-group-policy DfltGrpPolicy tunnel-group 202.100.1.200 ipsec-attributes ikev1 pre-shared-key ***** peer-id-validate req no chain no ikev1 trust-point isakmp keepalive threshold 10 retry 2 no ikev2 remote-authentication no ikev2 local-authentication

TEST1: Hillstone initializes ISAKMP negotiation in main mode The ISAKMP SA of Hillstone indicates that DPD is not well interconnecting with Cisco. Based on capturing, we can know Hillstone carries DPD info in first packet but doesn’t receive Cisco DPD parameter. SG-6000[DBG]# show isa sa 202.100.1.100 Cookies: 3dc38ac1617a9c2f:cbd3cb6900be8ed0 Status: established Gateway: 202.100.1.100 Port: 500 Algorithms: pre-share md5/3des Lifetime: 86389 DPD: disable Capturing file:

dpd-hillstone-start.pcapng

The first packet from Hillstone carries DPD capacity.

The first packet (and subsequent packets) replied by Cisco ASA has no DPD info.

TEST2: ASA initializes ISAKMP negotiation in main mode The ISAKMP SA of Hillstone indicates that DPD is not well interconnecting with Cisco.

Based on capturing, we can know Hillstone carries DPD info in first packet but doesn’t receive Cisco DPD parameter. SG-6000[DBG]# show isa sa 202.100.1.100 Cookies: 3dc38ac1617a9c2f:cbd3cb69aabe8ed0 Status: established Gateway: 202.100.1.100 Port: 500 Algorithms: pre-share md5/3des Lifetime: 86329 DPD: disable Capturing file:

dpd-asa-start.pcapng

The first packet (and subsequent packets) from ASA doesn’t carry DPD capacity.

The first packet replied by Hillstone carries DPD info.

TEST3: Hillstone initializes ISAKMP negotiation in aggressive mode The ISAKMP SA of Hillstone indicates that DPD is well interconnecting with Cisco. Based on capturing, we can know Hillstone carries DPD info in first packet and correctly responded by Cisco. SG-6000[DBG]# show isa sa 202.100.1.100 Cookies: 3dc38ac1617a9c2f:cbd3cb69aabe8ed0 Status: established Gateway: 202.100.1.100 Port: 500 Algorithms: pre-share md5/3des Lifetime: 86211 DPD: enable Capturing file:

agg-start-from-hillstone.pcapng

The first packet from Hillstone carries DPD capacity.

The first packet from Cisco carries DPD capacity.

DPD packets are being sent and replied every 10 seconds by both peers.

TEST4: ASA initializes ISAKMP negotiation in aggressive mode The ISAKMP SA of Hillstone indicates that DPD is not well interconnecting with Cisco. Based on capturing, we can know both Hillstone and ASA don’t carry DPD info. SG-6000[DBG]# show isa sa 202.100.1.100 Cookies: 3dc38ac1617a9c2f:cbd3cb69aabe8ed0 Status: established Gateway: 202.100.1.100 Port: 500 Algorithms: pre-share md5/3des Lifetime: 86625 DPD: disable Capturing file:

agg-start-from-asa.pcapng

The first packet from ASA doesn’t carry DPD capacity.

The first packet from Hillstone doesn’t carry DPD capacity. .

Part5: Conclusion: Based on the above info and tests, we can know that, even ASA DPD (ISAKMP keepalive) is a private feature of Cisco, DPD can work well while Hillstone initializes ISAKMP negotiation in

aggressive mode. This is one possible solution to interconnect with Cisco currently.