Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1913
Views
5
Helpful
4
Replies

SQL query causing Application to time out via anyconnect (ASA - AWS VPN)

PacketSpartan
Level 1
Level 1

‎12-16-2020 04:15 PM

Our customer has an IPsec VPN to AWS via (Vti with Ikev2), Whenever the users connect via Anyconnect to reach the application in the AWS they seem to have issues when running a big query on their client. When the users do a simple query (sql-1521) there are no issues at all, however, when they run a large query, the client software freezes up and stops responding. 

 

We tried to replicate the issue, 

- The laptop users on the LAN are fine 

- Running the same query on the servers are fine (on the test software)

- Checked Windows 10/7 

- Checked against a custom build and a domain build  laptop

 

The issue only occurs when connected via Anyconnect 

 

Under our service policy, i can see that we're inspecting SQL, Could this be causing the issue? Is it worth disabling the traffic just for anyconnect subnet. 

 

Inspect: sqlnet, packet 621255, lock fail 0, drop 0, reset-drop 0, 5-min-pkt-rate 0 pkts/sec, v6-fail-close 0 sctp-drop-override 0

 

Can you guys help? 

 

CCNA R&S
0 Helpful
4 Replies 4

Mohammed al Baqari
Level 11
Level 11

‎12-16-2020 06:39 PM

Hi,

Try to disable DTLS on your anyconnect to force TLS. SQL queries over UDP
is a bad design because of connectionless UDP nature.

***** please remember to rate useful posts

PacketSpartan
Level 1
Level 1

‎12-17-2020 06:56 AM

Hi Baqari 

 

Thank you for your reply, our will disabling the DTLS have any impact on other applications?  I am currently in the process of setting up a separate policy to test this. 

 

 

 

 

webvpn
url-list none
filter none
homepage none
port-forward disable
http-proxy disable
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface public none
anyconnect firewall-rule client-interface private none
anyconnect keep-installer installed
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules none
anyconnect profiles value xxxxx Profile type user
anyconnect ask none default webvpn
customization value DfltCustomization
keep-alive-ignore 4
http-comp gzip
user-storage none
storage-objects value credentials,cookies
storage-key none
vdi none
hidden-shares none
smart-tunnel disable
activex-relay enable
file-entry enable
file-browsing enable
url-entry enable
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
smart-tunnel auto-signon disable
anyconnect ssl df-bit-ignore disable
anyconnect routing-filtering-ignore disable
smart-tunnel tunnel-policy tunnelall
always-on-vpn profile-setting

CCNA R&S
0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to PacketSpartan

‎12-17-2020 06:30 PM

Hi,

Not on data. Voice over anyconnect might be impacted depending on the
network at remote client. In majority of cases no impact either.


***** please remember to rate useful posts
0 Helpful

PacketSpartan
Level 1
Level 1
In response to Mohammed al Baqari

‎12-23-2020 04:29 AM - edited ‎12-23-2020 04:31 AM

@Mohammed al Baqari 

 

- So Far we have disabled DTLS on the new anyconnect group policy

- Also disabled the SQL inspect for the traffic sourced from our anyconnect subnet 

 

After disabling the inspection, we're able to run big queries but now the SQL application on the user's machine times out

Is there anything else can i check and try?

 

 

 

 

policy-map global_policy
description flow_export_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect skinny
inspect sunrpc
inspect xdmcp
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class cmap-xxxx-http
inspect scansafe pmap-xxxx-http fail-open
class cmap-xxxx-https
inspect scansafe pmap-xxxx-securehttp fail-open
class QOS_cmap
priority
class cmap-xxxx-das
set connection timeout idle 1:00:00 dcd 0:15:00 5
class firepower_cmap
sfr fail-open
class global-class
flow-export event-type all destination 10.71.11.1
class SQL_INSPECT_cmap
inspect sqlnet

 

==============================

class-map SQL_INSPECT_cmap
match access-list SQL_INSPECT

 

===================================

 

access-list SQL_INSPECT extended deny tcp x.x.x.x 255.255.255.0 host x.x.x.x
access-list SQL_INSPECT extended permit tcp any any

 

 

 

 

CCNA R&S
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card
Top