on 12-14-2016 10:41 PM
Difference
DTLS is used for delay sensitive applications (voice and video) as its UDP based while TLS is TCP based
DTLS is supported for AnyConnect VPN not in IKEv2
How it works?
How Data is Forwarded?
What about Idle timeout?
Configuration
DTLS is enabled by default but you can enable it or distable using CLI.
It can be enabled/disable per interface terminating AnyConnect VPN
webvpn
enable if-name tls-only
Also, you can enable/disable DTLS at Group Policy level
webvpn
dtls port 443
!
group-policy custom_group_policy attributes
wins-server none
dns-server value 10.170.7.99 10.170.7.100
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value sslvpn_split_tunnel
default-domain value shelfdrilling.com
split-dns none
split-tunnel-all-dns enable
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1420
anyconnect profiles value sslvpnfromrdpprofile type user
customization value ShelfDrilling-Customization
always-on-vpn profile-setting
Very good explanation. Thanks.
hello,
Want to ask what if the host's NIC physical mtu changed to 576, would anyconnect client adopt 576 as mtu for both TLS and DTLS mtu (Assuming VPN GW configured mtu is bigger e.g. anyconnect mtu 1300)?
- Therefore, there is a packet drop period between DTLS failing and DPD triggering/detection. During this time, AnyConnect client will be forwarding packets over DTLS but they will be lost because DTLS is unhealthy
What is the time period for the DPD? Is it configurable or is it fixed?
Why all users of any connect is connecting with TLS protocol but 2-4 members are using DTLS protocol when getting connected.
What are the things that affect this behaviour?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: