Guest

Cisco 4400 Series Wireless LAN Controllers

Field Notice: FN - 62622 - 4400 VPN Module (AIR-VPN-4400-K9) Does Not Implement IPsec Dead Peer Detection (DPD, RFC-3706)


April 18, 2007

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.


Products Affected

Product

AIRINFR VPN - AIR-N-VPN-4400-K9=

AIRINFR VPN - AIR-VPN-4400-K9=

Problem Description

The VPN Module does not implement IPsec Dead Peer Detection (DPD, RFC-3706), nor does it send an IKE delete notification upon client 802.11 deauthorization. Thus, VPN Clients will encounter a condition where they cannot pass traffic through the IPsec session, but are unaware that the data path is unavailable.

Support for the 4400 VPN Module (AIR-VPN-4400-K9) has been removed from WLC software effective with release 4.0.

Background

Wireless client is using the Cisco VPN client terminating to the 4400 VPN Module.

Problem Symptoms

When a wireless client using the Cisco VPN client for IPsec connectivity to a 4400 VPN module undergoes a network disconnect such as an 802.11 roam or session timeout event, its IPsec traffic will be "black holed" for an indefinite period. No notification of the network disconnect event is presented to the IPsec client.

Workaround/Solution

No Workaround

Solution:

Present the AIR-VPN-4400-K9 module to Cisco for a refund or a replacement by a supported IPsec concentrator, such as the CISCO1841-SEC/K9 or ASA 5510.

DDTS

To follow the bug ID link below and see detailed bug information, you must be a registered user and you must be logged in.

DDTS

Description

CSCsg76610 (registered customers only)

VPN module for 440x WLC does not detect dead IKE peers

CSCsd86380 (registered customers only)

no ike delete is sent to client upon a controller client deauth/wlan dis

Revision History

Revision

Date

Comment

1.0

18-APR-2007

Initial Public Release

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.