Re: AnyConnect DTLS TLS 4125 5585 - Page 2

zhaochunhong · ‎01-28-2021

AnyConnect remote to multiple location headend vpn, when different location users reach to multiple DC servers got application errors randomly, especially after application up long time with large search on users pc, hard to capture the error no matter from remote users or DC servers end, only see disconnection log from Splunk. Once change to TLS only, no more issue, but speed slower than DTLS/TLS both. and found FPR 4125 worse than ASA 5585, DPD changed from default 30 seconds into 10 seconds looks not help much. Question: when DTLS tunnel detect fail and automatically transfer to TLS tunnel, can cause this kind of disconnections? Cisco tech with us did a lot of captures, looks never successful. Need brain storm to troubleshoot, please share your idea. Thanks!

zhaochunhong · ‎02-06-2021

also , if TLS only got drops on TLS, if use TLS/DTLS drop always 0, ( our old vpn ASA5585 no drop on TLS at all with same config, but 4125 with portchannel have), not sure PO may cause this problem?

sh vpn-sessiondb det anyconnect | i Drop

sh vpn-sessiondb det anyconnect | i Drop
Pkts Tx Drop : 21152 Pkts Rx Drop : 0 (TLS only)
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Pkts Tx Drop : 21152 Pkts Rx Drop : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0 (DTLS/TLS both )
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Pkts Tx Drop : 0 Pkts Rx Drop :

Pkts Tx Drop : 11480 Pkts Rx Drop : 0 (TLS only)
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Pkts Tx Drop : 11480 Pkts Rx Drop : 0
Pkts Tx Drop : 18816 Pkts Rx Drop : 0 (TLS only)
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Pkts Tx Drop : 18816 Pkts Rx Drop : 0
Pkts Tx Drop : 7192 Pkts Rx Drop : 0 (TLS only)
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Pkts Tx Drop : 7192 Pkts Rx Drop : 0

MHM Cisco World · ‎02-06-2021

...

zhaochunhong · ‎02-07-2021

don't think vpn-idle-time is the TLS drop reason, since keep increase after remote client in even less than 5 mins and nothing in client message history about drops.

MHM Cisco World · ‎02-14-2021

any news about this issue ?

zhaochunhong · ‎02-15-2021

no good news yet, thank you

zhaochunhong · ‎02-15-2021

How can we capture the DTLS dead? if from wireshark? why didn't see from client end never DTLS tunnel off in log even set DPD into 5 seconds

MHM Cisco World · ‎02-15-2021

https://detailed.wordpress.com/2018/08/09/capture-anyconnect-vpn-traffic-in-wireshark/

If you use same PC for VPN and Wireshark then see above link

MHM Cisco World · ‎02-07-2021

...

MHM Cisco World · ‎02-08-2021

check this bug it explain the timeout and drop packet.
CSCsm15079

MHM Cisco World · ‎02-16-2021

I need the following

1- idle timeout

2 session timeout

3- keep alive interval

4- dpd interval

5-show sessiondb Anyconnect detail

MHM Cisco World · ‎02-21-2021

still waiting your reply ?