Re: AnyConnect SAML slow to establish connection

the-lebowski · ‎02-13-2024

Running into an issue with AnyConnect and OKTA SAML with 90 second delay between authenticating and actually establishing the connection. Initial login/redirect/MFA is quick then the client shows "establishing connection.." and 90 seconds later (give or take) the connection establishes and user can pass traffic.

DART logs show the below which clearly shows a long delay between "Retrieving device details from cache" and "received VPN session Configuration settings." 14:23:14 > 14:24:54 or right at 90 seconds.

Note we have other profiles not using SAML that have never had this issue so I simply not sure what would cause this. Logs on OKTA side show everything happening within a couple seconds so I attribute this to something on the ASA/FP side but what I don't know.

Date : 02/09/2024

Time : 14:23:14

Type : Information

Source : acvpnagent

Description : Function: CCstpProtocol::startHTTPNegotiation

File: c:\temp\build\thehoff\phoenix_mr70.316886046509\phoenix_mr7\vpn\agent\cstpprotocol.cpp

Line: 1026

Proposed base MTU is 1500.

******************************************

Date : 02/09/2024

Time : 14:23:14

Type : Information

Source : acvpnagent

Description : Function: DeviceIDInfo::getDeviceDetailsFromCache

File: c:\temp\build\thehoff\phoenix_mr70.316886046509\phoenix_mr7\vpn\common\utility\deviceid.cpp

Line: 304

Retrieving device details from cache

******************************************

Date : 02/09/2024

Time : 14:24:54

Type : Information

Source : acvpnagent

Description : Current Profile: client-profile.xml

Received VPN Session Configuration Settings:

Keep Installed: enabled

Rekey Method: disabled

rhuebscher · ‎03-12-2024

I had the same 90 second delay loading details from cache issue. However, we were using RADIUS back to an NPS server. Enabling dynamic authorization and interim account update resolved our slow connection time and it now connects in seconds versus the 90-120 seconds it took before. Not sure if that will help in your case though.

jelin · ‎06-21-2025

I am seeing this same 90+seconds Secure Client VPN connection issue using FTD 7.7.0-89 and Duo SAML authentication. Duo MFA works just fine and successfully authenticates the user. But the VPN client get stuck on "Establishing VPN ......" state for about 90+ seconds before finally connect. Very strange. Any thoughts?

dolljain · ‎06-25-2025

If you're experiencing a 90+ second delay during Secure Client VPN connection with FTD 7.7.0-89 and Duo SAML authentication — where Duo MFA completes successfully but the client gets stuck at "Establishing VPN..." — one possible cause could be related to IP address assignment.

In some cases, the tunnel-group may be configured with both a DHCP server and a local address pool. This setup can lead to delays if the DHCP server takes too long to respond, causing the client to wait until the timeout before falling back to the local pool.

To isolate this behaviour, try removing the DHCP server from the tunnel-group and use only the local address pool for IP assignment. After making this change, the connection should establish much faster on both Mac and Windows clients.

If this helps, continue troubleshooting on the DHCP server side to identify why it's responding slowly — check reachability, performance, relay settings, and ensure there are no latency or configuration issues affecting DHCP responses.

Hope this helps!

swj · ‎06-26-2025

From the DART logs you shared (between 14:23:14 and 14:24:54), I didn’t see any other messages. Could you please confirm if that’s the complete log? Also, is it possible for you to share the tunnel-group and group-policy configurations? If Auth 2.0 is not enabled, do we still observe the same issue?