AppGate SDP uses a keepalive message to monitor the tunnel health of the connection between a Client and the Gateway to which it is connected per site. This is accomplished using a ping request and a pong response (i.e., an echo request and echo response) in the virtual private network (VPN) control channel of the tunnel.
When the connection is "idle" (as determined based on the traffic received from the other end of the established tunnel), the AppGate SDP client, or the VPN Daemon (VPND) on a Gateway, sends a VPN control channel message within the initial tunnel connection (i.e., the ping or echo request), and the VPND (or client) at the other end answers with a pong (or echo) response.
The SDP Client normally sends one PING every third second, and if three PINGs have been sent with no response by the time a fourth PING should be sent, the connection is determined to be dead.
The VPND normally sends one PING every thirty seconds, and if three PINGs have been sent with no response by the time a fourth PING should be sent, the connection is determined to be dead
When a VPN control channel ping request is sent with no reply within in the allotted time, the connection is dropped, and a Dead Connection error appears in the client logs.
The SDP Client dynamically increases the timeout if it determines that the VPN/TLS establishment took a long time, indicating a slow connection. If Slow Connection Detected messages are present in the Client logs along with Dead Connection errors, there is likely something interfering with the keepalive messages from the Gateway to the Client.
Use the command below to look for the heartbeat packet:
sudo tcpdump -ni eth0 'port 443 and (ip[2:2]=73 or tcp[13] & 5 != 0 or (tcp[13] & 16 != 0 && ip[2:2]=40))'
The example below indicates what keepalive packet communication should look like in the tcpdump
The internal health check appears initially in this example, because the tunnel connection has been determined to be idle. A normal ping is started at approximately 22:14:52, and the tunneled ping packet = 113 bytes, with replies. Because the Gateway replies with packets, no internal health checks are sent. The ping is then stopped at 22:14:54 and the internal health check begins again after approximately 3 seconds. All keep alive packets should be 33 bytes.
22:14:50.513914 IP 192.168.0.102.61711 > 212.16.176.172.443: Flags [P.], seq 328:361, ack 1369, win 65535, length 33
22:14:50.526329 IP 212.16.176.172.443 > 192.168.0.102.61711: Flags [.], ack 361, win 10408, length 0
22:14:50.526351 IP 212.16.176.172.443 > 192.168.0.102.61711: Flags [P.], seq 1369:1402, ack 361, win 10408, length 33
22:14:50.526536 IP 192.168.0.102.61711 > 212.16.176.172.443: Flags [.], ack 1402, win 65534, length 0
22:14:52.004669 IP 192.168.0.102.61711 > 212.16.176.172.443: Flags [P.], seq 361:474, ack 1402, win 65535, length 113
22:14:52.064570 IP 212.16.176.172.443 > 192.168.0.102.61711: Flags [.], ack 474, win 10408, length 0
22:14:52.066810 IP 212.16.176.172.443 > 192.168.0.102.61711: Flags [P.], seq 1402:1515, ack 474, win 10408, length 113
22:14:52.066946 IP 192.168.0.102.61711 > 212.16.176.172.443: Flags [.], ack 1515, win 65533, length 0
22:14:53.009932 IP 192.168.0.102.61711 > 212.16.176.172.443: Flags [P.], seq 474:587, ack 1515, win 65535, length 113
22:14:53.028465 IP 212.16.176.172.443 > 192.168.0.102.61711: Flags [.], ack 587, win 10408, length 0
22:14:53.072669 IP 212.16.176.172.443 > 192.168.0.102.61711: Flags [P.], seq 1515:1628, ack 587, win 10408, length 113
22:14:53.072824 IP 192.168.0.102.61711 > 212.16.176.172.443: Flags [.], ack 1628, win 65533, length 0
22:14:54.015087 IP 192.168.0.102.61711 > 212.16.176.172.443: Flags [P.], seq 587:700, ack 1628, win 65535, length 113
22:14:54.029301 IP 212.16.176.172.443 > 192.168.0.102.61711: Flags [.], ack 700, win 10408, length 0
22:14:54.072358 IP 212.16.176.172.443 > 192.168.0.102.61711: Flags [P.], seq 1628:1741, ack 700, win 10408, length 113
22:14:54.072522 IP 192.168.0.102.61711 > 212.16.176.172.443: Flags [.], ack 1741, win 65533, length 0
22:14:57.736889 IP 192.168.0.102.61711 > 212.16.176.172.443: Flags [P.], seq 700:733, ack 1741, win 65535, length 33
22:14:57.748450 IP 212.16.176.172.443 > 192.168.0.102.61711: Flags [.], ack 733, win 10408, length 0
22:14:57.748471 IP 212.16.176.172.443 > 192.168.0.102.61711: Flags [P.], seq 1741:1774, ack 733, win 10408, length 33
22:14:57.748684 IP 192.168.0.102.61711 > 212.16.176.172.443: Flags [.], ack 1774, win 65534, length 0