Site to Site VPN Question

[ajb822]

I have a device that is required to periodically send a 3 byte UDP packet to the a host on the other side of a site-to-site VPN tunnel. What I am finding is that if the tunnel has already been built the UDP packet makes it to the host fine, however, if the tunnel isn't up, the UDP packet initates the tunnel but the packet doesnt reach the host. It seems like the UDP packet initates the building of the tunnel but is being dropped. I'm kinda a newbie, just wondering if this makes sense.

Thanks

Tony Barnette

 

[kbing]

UDP is an unreliable protocol. If the PIX sees the packet as interesting traffic the tunnel will be established. But the sending device doesn't care if the packet is received on the other end...therefor you are probably experiencing this issue.

One way to possible solve this would be to enabled DPD (Dead Peer Detection) on the VPN...so the VPN stay's online all the time. Then when the packet is sent...it can go thru an already live VPN tunnel and potentially reach the destination.

 

[br0ck]

kbing,

do you have any documentation on DPD?

it sounds interesting and i have never seen it

Thanks

 

[Supergrrover]

Here is some more info (it is for IOS, but the ideas are the same.)

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/gtdpmo.htm

Brent
Systems Engineer / Consultant
CCNP, CCSP

 

[ajb822]

Thanks for the info. Validates what we are seeing here.