Saturday, September 19, 2015

Azure VPN - keeping tunnels up

As noted in the previous post, Azure’s “dynamic routing” option really refers to the dynamic establishment of VPN, not routing itself. There is a drawback with this option, a VPN tunnel will go down after a period of non-usage. It re-establishes automatically when new traffic passes through, but often with the consequence of dropping initial traffic (due to time needed to re-establish tunnel).

The disruption is due to the expiry of Security Association. A security association expires after the first of these lifetimes is reached: a "timed" lifetime and a "traffic-volume" lifetime. The default lifetimes are 3600 seconds (one hour) and 4,608,000 kilobytes (10 megabits per second for one hour per second for one hour).

Normally, when there is active traffic, a new security association is negotiated before the lifetime threshold of the existing security association is reached, to ensure that a new security association is ready for use when the old one expires.

If no traffic has passed through the tunnel during the entire life of the security association, a new security association is not negotiated when the lifetime expires. Instead, a new security association will be negotiated only when IPsec sees another packet that should be protected.

Therefore, for Azure “dynamic routing” VPN tunnel with sparse traffic, SA may expire after an hour, causing some traffic drop, which may impact user experience.

An obvious method to correct this issue is to set SA lifetime to higher values. For example, in Cisco IOS:
crypto ikev2 profile profile_xxx
set security-association lifetime kilobytes 4294967295
set security-association lifetime seconds 86400
Extending the SA lifetime works, but there is a better method, which is using IKEv2’s support for Dead Peer Detection (DPD). DPD is also configured under profile, for example, the following wil send DPD keepalive every 5 minute, if there is no incoming traffic, thus keeping tunnels up.
crypto ikev2 profile profile_xxx
 dpd 500 100 on-demand
Please reference your specific vendor documentation such as this Cisco guide for more information on DPD.

No comments:

Post a Comment