Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
757
Views
0
Helpful
0
Replies

AnyConnect VPN Client FAQ

Mugurel
Level 1
Level 1

‎01-08-2019 01:15 PM

Hi guys,

I need somebody smarter than me that might figure out my issue. I have two sites, one central and one remote (my home). Both are using Cisco ASA appliances ( an ASA5520 in the center that might soon be replaced with a 5516X and a 5506X in the remote site. Before the 5506 I had a 5505 in the remote site. Also, I had another change in the remote site, I have replaced the Uverse service from a 20Mbps to 40Mbps and they replaced the gateway too. The ASA is placed in the DMZ+ zone and is taking the public IP from the AT&T gateway. I do not have a static IP on the remote site so I am using Cisco Anyconnect to establish the tunnels. I am also running a DDNS client to find the IP of the remote site.

Now, with the old similar setup ( 5505, old AT&T gateway) I could connect from one site to another without an issue, and I was running Thinlinc to access Linux computers or Remote Desktop if the computer had Windows. After the changes in the remote site ... it is behaving very strange. Internet connection from the remote site works fine and I can start and use a VPN tunnel from there to the central site ( or another remote site) without an issue. I can also use Thinlinc or RD to connect to the computers when ssh is not enough.

But, if I try to do the same from a computer in the central location towards the remote one, I can start the tunnel all right, I can ping the remote computers and I can even connect with Thinlinc to a Linux workstation on the remote site. But the connection is so slow it takes minutes to update the screen. I talked to the guys at Cendio, they told me to test the web-access connection and, if that works, the issue is with the SSH. I did test it and it works. Then, I used wireshark to see what is happening. As expected, I am getting a lot of packages with: "[TCP Retransmission] Encrypted response packet len=1354" or [TCP Retransmission] [ TCP Segment of a reassembled PDU]. And it says they are coming from the SSH. Sometimes I see a [TCP Dup ACK]

I can ssh into the remote computer ( it takes a little bit to accept me but after that it is OK) and I have remotely installed iperf3. I tested the speed over the VPN tunnel and it shows what I expected : 10/20Mbps per direction, which are the max upload speeds per each site. I have also installed wireshark on the remote computer. I see now and then the TCP Dup ACK messages, no re-transmission messages though. But, the surprise was that suddenly the Thinlinc connection was back to working fine! I can still see the TCP retransmission lines in Wireshark, but they go away quickly and I can work as usual with a CAD software ( Cadence Virtuoso) on the remote computer. But the moment I close wireshark on the remote computer I am getting the same problem, it gets stuck into "retransmission" and screen refresh in Thinlinc takes minutes.

Another thing I have tried it to connect to a Windows machine on the remote site from my Linux computer in the central site. I am using xfree for that. It connects fine. Again, while I have this connection, I can use the Thinlinc just fine ( and this time there are three computers involved, the Linux one in the central location from where I start the VPN, and the Windows and Linux computers in the remote site.

I have also tried to connect ( Anyconnect + Thinlinc) from my windows laptop from the central location to the remote computers and Thinlinc is just crushing, I guess the timeout set in the windows version of the thinlinc client is very low.

 

The computer on the central site has CentOS 6 installed. On the remote site I have one CentOS 6 and one CentOS7 workstations, both are behaving the same way. My guess is that the issue is not related with the remote computer but with an issue of the SSH over the VPN tunnel. If I am in the remote site I can connect just fine with Thinlinc from a windows computer to any of the Linux workstations, so I think I can eliminate any hardware/cable issues.

The very strange thing in my opinion is that the connection gets way better if I have another connection between the computer in the central location and another one in the remote site. Not every combination works though, if I try to connect to a thinlinc session on the second Linux workstation on the remote site both sessions are slow.

 

Anybody with an idea about how to figure out the cause of this issue will have my gratitude :-)

 

Thanks,

Mugurel

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents