Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
5
Helpful
5
Replies

CSCvb61056 - 9.6.2 TCP connection doesn't work through L2TP

Go to solution
webquake_support
Level 1
Level 1

‎11-12-2016 04:10 PM - edited ‎03-20-2019 09:08 PM

This is a really bad bug. There is no evidence about the circumstances, the SYN-ACK package vanishes silently. Usually you test the VPN with PING which is perfectly working, as it is with DNS (udp). TCP traffic is entirely timing out. Anyconnect clients are working fine.

I have verified this on 5515, 5512 (9.6(2)), 5506 (9.6(2)3).

The only option for me was finally to downgrade to 9.6(1). 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Palani Mohan
Cisco Employee
Cisco Employee

‎11-14-2016 08:31 AM

This bug is close to getting resolved. Until then, your options are:

  • downgrade to 9.6.1
  • use IKEv2 with native client instead of L2TP

Does this help?

Kind regards ... Palani

View solution in original post

5 Replies 5

Go to solution
Palani Mohan
Cisco Employee
Cisco Employee

‎11-14-2016 08:31 AM

This bug is close to getting resolved. Until then, your options are:

  • downgrade to 9.6.1
  • use IKEv2 with native client instead of L2TP

Does this help?

Kind regards ... Palani

Go to solution
webquake_support
Level 1
Level 1
In response to Palani Mohan

‎11-14-2016 08:43 AM

Thank you, Palani.

Just one question - will it be resolved in the 9.6(2) trail or will there be a 9.6(3) ?

Regards,

Chris

0 Helpful

Go to solution
Palani Mohan
Cisco Employee
Cisco Employee
In response to webquake_support

‎11-14-2016 10:31 AM

Hi Chris

The bug is not yet resolved. So, it is not clear which releases would have the fix. I expect some clarity in early Dec.

Kind regards ... Palani

0 Helpful

Go to solution
webquake_support
Level 1
Level 1
In response to Palani Mohan

‎11-14-2016 12:04 PM

Again thank you for your quick answer. I'm just wondering that it takes until December. The initial 9.6(2) is from August. Maybe I underestimate the impact to fix it, because the Anyconnect Client in this scenario is perfectly running.

Isn't a large user community using this option? We have changed most of our RAS VPN's to L2TP/PSK when PPTP was discontinued on the ASA platform some couple of years ago. IKEv2 was not supported at that time and still many client systems do not support it "on-board".

I'm not really dealing with VPN's every day - researching this to the extent necessary to consider it a bug took me several hours. I hope you understand, but during this process I simply did not want to accept that Cisco is releasing a Interim (3) release after almost 3 month still containing such a fundamental flaw.

0 Helpful

Go to solution
Palani Mohan
Cisco Employee
Cisco Employee
In response to webquake_support

‎11-15-2016 06:20 AM

Hi Chris

First of, regret the inconvenience caused.

Please do not view the following as defending the bug. As a customer, I expect better from my vendor. Any bug in sw is inconvenience for which there is no excuse.

As far as I can tell, this bug was first experienced in early October. Less than 10 customers are impacted so far, that I know of. Regardless, this bug is assigned the highest severity.

Between the time I responded on this thread and today, the bug has been resolved. Within a week or so, we should have clarity on which releases would have the fix and the ETA of the next release.

I hope this helps .... Palani

0 Helpful
Customers Also Viewed These Support Documents