cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5530
Views
10
Helpful
25
Replies

AnyConnect DTLS TLS 4125 5585

zhaochunhong
Level 1
Level 1

AnyConnect remote to multiple location headend vpn, when different location users reach to multiple DC servers got application errors randomly, especially after application up long time with large search on users pc, hard to capture the error no matter from remote users or DC servers end, only see disconnection log from Splunk. Once change to TLS only, no more issue, but speed slower than DTLS/TLS both. and found FPR 4125 worse than ASA 5585,  DPD changed from default 30 seconds into 10 seconds looks not help much. Question:  when DTLS tunnel detect fail and automatically transfer to TLS tunnel, can cause this kind of disconnections?  Cisco tech with us did a lot of captures, looks never successful.  Need brain storm to troubleshoot, please share your idea. Thanks!

25 Replies 25

also , if TLS only got drops on TLS, if use TLS/DTLS drop always 0, ( our old vpn ASA5585 no drop on TLS at all with same config, but 4125 with portchannel have), not sure PO may cause this problem? 

 

sh vpn-sessiondb det anyconnect | i Drop

sh vpn-sessiondb det anyconnect | i Drop
Pkts Tx Drop : 21152 Pkts Rx Drop : 0 (TLS only) 
      Pkts Tx Drop : 0 Pkts Rx Drop : 0
      Pkts Tx Drop : 21152 Pkts Rx Drop : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0   (DTLS/TLS both )
      Pkts Tx Drop : 0 Pkts Rx Drop : 0
      Pkts Tx Drop : 0 Pkts Rx Drop : 0
      Pkts Tx Drop : 0 Pkts Rx Drop :

  Pkts Tx Drop : 11480 Pkts Rx Drop : 0 (TLS only) 
      Pkts Tx Drop : 0 Pkts Rx Drop : 0
      Pkts Tx Drop : 11480 Pkts Rx Drop : 0
Pkts Tx Drop : 18816 Pkts Rx Drop : 0 (TLS only) 
      Pkts Tx Drop : 0 Pkts Rx Drop : 0
       Pkts Tx Drop : 18816 Pkts Rx Drop : 0
Pkts Tx Drop : 7192 Pkts Rx Drop : 0 (TLS only) 
       Pkts Tx Drop : 0 Pkts Rx Drop : 0
       Pkts Tx Drop : 7192 Pkts Rx Drop : 0

...

don't think vpn-idle-time is the TLS drop reason, since keep increase after remote client in even less than 5 mins and nothing in client message history about drops.

any news about this issue ?

no good news yet, thank you

How can we capture the DTLS dead? if from wireshark?  why didn't see from client end never DTLS tunnel off in log even set DPD into 5 seconds

https://detailed.wordpress.com/2018/08/09/capture-anyconnect-vpn-traffic-in-wireshark/

If you use same PC for VPN and Wireshark then see above link

...

check this bug it explain the timeout and drop packet.
CSCsm15079

I need the following

1- idle timeout

2 session timeout 

3- keep alive interval

4- dpd interval

5-show sessiondb Anyconnect detail 

still waiting your reply ?

Review Cisco Networking for a $25 gift card