AnyConnect DTLS TLS 4125 5585

zhaochunhong · ‎01-28-2021

AnyConnect remote to multiple location headend vpn, when different location users reach to multiple DC servers got application errors randomly, especially after application up long time with large search on users pc, hard to capture the error no matter from remote users or DC servers end, only see disconnection log from Splunk. Once change to TLS only, no more issue, but speed slower than DTLS/TLS both. and found FPR 4125 worse than ASA 5585, DPD changed from default 30 seconds into 10 seconds looks not help much. Question: when DTLS tunnel detect fail and automatically transfer to TLS tunnel, can cause this kind of disconnections? Cisco tech with us did a lot of captures, looks never successful. Need brain storm to troubleshoot, please share your idea. Thanks!

Marvin Rhoads · ‎01-28-2021

Are your systems in China? If so, it might be related to inspection-related restrictions/enforcement being applied on the traffic.

zhaochunhong · ‎01-29-2021

in Canada

TJ-20933766 · ‎01-28-2021

The answer to your question of if the transition from DTLS to TLS can cause disconnections, yes it can. According to (https://community.cisco.com/t5/vpn/anyconnect-client-reconnects-after-1-minute/td-p/2217458), you should be able to adjust the MTU value 1300 so if DTLS fails, the renegotiation to TLS is not noticed

group-policy ac_users_group attributes
webvpn
 anyconnect mtu 1300

Have you tried debugging on the ASA to see if any logs appear during the failure?

debug webvpn anyconnect 255

MHM Cisco World · ‎01-28-2021

DTLS is use UDP
TLS is use TCP
this explain the slowness.

since the DTLS is used UDP and since UDP don't have any message to terminate the session, then
ASA use idea timer for UDP to terminate the session,
I think this is issue here
just make UDP idea timer long enough and check your connection.

MHM Cisco World · ‎01-29-2021

....

zhaochunhong · ‎01-31-2021

tried below all, looks didn't help

webvpn
anyconnect ssl dtls enable
anyconnect ssl keepalive 60
anyconnect dpd-interval client 5

anyconnect mtu 1300

MHM Cisco World · ‎01-31-2021

Show vpn session dB

can I see output of this when vpn is disconnect

zhaochunhong · ‎02-01-2021

I have to keep DTLS lower number to reduce the impact.
vcst-d09a-asvp-fw5/pri/act# sh vpn-sessiondb de
---------------------------------------------------------------------------
VPN Session Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concur : Inactive
----------------------------------------------
AnyConnect Client : 1024 : 86956 : 1253 : 2
SSL/TLS/DTLS : 1024 : 86956 : 1253 : 2
Clientless VPN : 0 : 7 : 2
Browser : 0 : 7 : 2
---------------------------------------------------------------------------
Total Active and Inactive : 1026 Total Cumulative : 86963
Device Total VPN Capacity : 20000
Device Load : 5%
---------------------------------------------------------------------------

---------------------------------------------------------------------------
Tunnels Summary
---------------------------------------------------------------------------
Active : Cumulative : Peak Concurrent
----------------------------------------------
Clientless : 0 : 7 : 2
AnyConnect-Parent : 1026 : 86956 : 1253
SSL-Tunnel : 1018 : 415096 : 1243
DTLS-Tunnel : 30 : 26090 : 916
---------------------------------------------------------------------------
Totals : 2074 : 528149
---------------------------------------------------------------------------

MHM Cisco World · ‎02-01-2021

....

MHM Cisco World · ‎02-05-2021

...

TJ-20933766 · ‎01-31-2021

Did you do any debugs and was there any good information in that?

zhaochunhong · ‎02-06-2021

webvpn_cstp_parse_request_field()
...input: 'X-CSTP-MTU: 1399'
Processing CSTP header line: 'X-CSTP-MTU: 1399'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Address-Type: IPv6,IPv4'
Processing CSTP header line: 'X-CSTP-Address-Type: IPv6,IPv4'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Local-Address-IP4: 192.168.0.24'
Processing CSTP header line: 'X-CSTP-Local-Address-IP4: 192.168.0.24'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Base-MTU: 1500'
Processing CSTP header line: 'X-CSTP-Base-MTU: 1500'
webvpn_cstp_parse_request_field()

....

Iphdr=20 base-mtu=1500 def-mtu=1500 conf-mtu=1406
tcp-mss = 1460
path-mtu = 1460(mss)
TLS Block size = 16, version = 0x303
mtu = 1460(path-mtu) - 0(opts) - 5(ssl) - 16(iv) = 1439
mod-mtu = 1439(mtu) & 0xfff0(complement) = 1424
tls-mtu = 1424(mod-mtu) - 8(cstp) - 48(mac) - 1(pad) = 1367
computed tls-mtu=1367 dtls-mtu=0 conf-mtu=1406
tls-mtu=1367 dtls-mtu=0
Legacy mode so default dtls mtu to tls mtu

....

from client netsh ipv4 show interface MTU: 1300

MHM Cisco World · ‎02-05-2021

So as I mention before some topic is very interest and it is not about the NAT and other regular issue that can easily solve but like this issue is very interest.

So Friend,
Why DTLS fallback into TLS ?
if you specify other port than 443 then some FW in path can be block these port and hence make any connect fallback to TLS connection.
Note:- need DPD for fallback

Why issue with the MTU?
the any connect build two-tunnel
one tunnel is parent which use to exchange the cipher auth between client and ASA
second TLS Or DTLS "depend"

during the parent tunnel there are two value send to client
1-DTLS MTU
2-TLS MTU

client will use DTLS MTU value
do netsh ipv4 show interface
DTLS MTU value for default large than TLS MTU

ASA use TLS MTU value

NOW
client will use DTLS MTU in TCP MSS and send this value to server behind the ASA

server send packet with value equal to DTLS MTU with "DF bit set"

ASA see this value BUT because it use TLS MTU which is lower than DTLS MTU and DF bit set it cannot frag and the packet drop!!!

even if it not drop this need from the ASA frag each packet from Server go toward client and this so slow.

what we check here is :-
check the MTU client used is it
DTLS MTU or TLS MTU ..

waiting your reply

zhaochunhong · ‎02-06-2021

sh run all sysopt:
no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn

debug webvpn anyconnect 255:

webvpn_cstp_parse_request_field()
...input: 'X-CSTP-MTU: 1399'
Processing CSTP header line: 'X-CSTP-MTU: 1399'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Address-Type: IPv6,IPv4'
Processing CSTP header line: 'X-CSTP-Address-Type: IPv6,IPv4'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Local-Address-IP4: 192.168.0.24'
Processing CSTP header line: 'X-CSTP-Local-Address-IP4: 192.168.0.24'
webvpn_cstp_parse_request_field()
...input: 'X-CSTP-Base-MTU: 1500'
Processing CSTP header line: 'X-CSTP-Base-MTU: 1500'
webvpn_cstp_parse_request_field()

....

tcp-mss = 1460
path-mtu = 1460(mss)
TLS Block size = 16, version = 0x303
mtu = 1460(path-mtu) - 0(opts) - 5(ssl) - 16(iv) = 1439
mod-mtu = 1439(mtu) & 0xfff0(complement) = 1424
tls-mtu = 1424(mod-mtu) - 8(cstp) - 48(mac) - 1(pad) = 1367
DTLS Block size = 16
mtu = 1500(base-mtu) - 20(ip) - 8(udp) - 13(dtlshdr) - 16(dtlsiv) = 1443
mod-mtu = 1443(mtu) & 0xfff0(complement) = 1440
dtls-mtu = 1440(mod-mtu) - 1(cdtp) - 20(mac) - 1(pad) = 1418
computed tls-mtu=1367 dtls-mtu=1418 conf-mtu=1300
overide computed tls-mtu=1367 with conf-mtu=1300
DTLS enabled for intf=3 (outside)
overide computed dtls-mtu=1418 with conf-mtu=1300
tls-mtu=1300 dtls-mtu=1300

....

from client netsh ipv4 show interface MTU: 1300