Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1164
Views
5
Helpful
1
Replies

Anyconnect multiple 'reconnects' issue

Go to solution
Jonathan Van Vuren
Cisco Employee
Cisco Employee

‎07-18-2017 07:45 AM - edited ‎03-11-2019 12:51 AM

We’re seeing multiple ‘reconnects’ with the anyconnect 4.2 client, terminating to ASAv 9.6 code.

Below are the questions for CISCO:

  1. If we configure this settings “sysopt conn tcpmss 1460” , will our existing site-to-site VPN will get affected?
  2. Will large UDP traffic will be dropped using this settings. If so, what is the alternate option or solution?
  3. Is there any other alternate options for “AnyConnect Client Reconnects Every Minute Which Causes a Disruption in Traffic Flow” issue other than the information provided in the URL ( http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116881-technote-anyconnect-00.html ) ?
  4. How will OKTA radius server would react, if we configure remote sec VPN using OKTA for this “DTLS is Blocked Somewhere in the Path” settings?
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-18-2017 08:34 AM

Hi Jon,

  1. If we configure this settings “sysopt conn tcpmss 1460” , will our existing site-to-site VPN will get affected?

It is a global setting and it would affect the Site to Site VPN's as well.

Will large UDP traffic will be dropped using this settings. If so, what is the alternate option or solution?

This setting only affects TCP connections and not UDP.

  1. Is there any other alternate options for “AnyConnect Client Reconnects Every Minute Which Causes a Disruption in Traffic Flow” issue other than the information provided in the URL ( http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116881-technote-anyconnect-00.html ) ?

There are few options which can be tried in this case:

 

 

  1. To eliminate this visible transition DTLS->TLS, you can configure a separate tunnel group for TLS only access, to be used by users that have trouble establishing the DTLS tunnel (e.g. due to firewall restrictions).

 

             group-policy <name of the desired group-policy> attributes

 

                    webvpn

 

              anyconnect ssl dtls none

 

 

 

  1. The second option will be to make TLS and DTLS MTU values equal , and allow the fragmentation of SSL packet:

 

         group-policy <name of the desired group-policy> attributes

 

 

webvpn

anyconnect mtu 1300

anyconnect ssl df-bit-ignore enable

How will OKTA radius server would react, if we configure remote sec VPN using OKTA for this “DTLS is Blocked Somewhere in the Path” settings?

Not sure about the OKTA radius. But if DTLS is blocked in the path that would only affect Anyconnect connections and not radius requests as that would go from the ASA to the server.

Regards,

Aditya

Please rate helpful and mark correct answers

View solution in original post

1 Reply 1

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎07-18-2017 08:34 AM

Hi Jon,

  1. If we configure this settings “sysopt conn tcpmss 1460” , will our existing site-to-site VPN will get affected?

It is a global setting and it would affect the Site to Site VPN's as well.

Will large UDP traffic will be dropped using this settings. If so, what is the alternate option or solution?

This setting only affects TCP connections and not UDP.

  1. Is there any other alternate options for “AnyConnect Client Reconnects Every Minute Which Causes a Disruption in Traffic Flow” issue other than the information provided in the URL ( http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/116881-technote-anyconnect-00.html ) ?

There are few options which can be tried in this case:

 

 

  1. To eliminate this visible transition DTLS->TLS, you can configure a separate tunnel group for TLS only access, to be used by users that have trouble establishing the DTLS tunnel (e.g. due to firewall restrictions).

 

             group-policy <name of the desired group-policy> attributes

 

                    webvpn

 

              anyconnect ssl dtls none

 

 

 

  1. The second option will be to make TLS and DTLS MTU values equal , and allow the fragmentation of SSL packet:

 

         group-policy <name of the desired group-policy> attributes

 

 

webvpn

anyconnect mtu 1300

anyconnect ssl df-bit-ignore enable

How will OKTA radius server would react, if we configure remote sec VPN using OKTA for this “DTLS is Blocked Somewhere in the Path” settings?

Not sure about the OKTA radius. But if DTLS is blocked in the path that would only affect Anyconnect connections and not radius requests as that would go from the ASA to the server.

Regards,

Aditya

Please rate helpful and mark correct answers

Customers Also Viewed These Support Documents